Content Management System

github.com/kckrinke/go-cdk

CDK - Curses Development Kit The Curses Development Kit is the low-level compliment to the higher-level Curses Tool Kit. CDK is based primarily upon the TCell codebase, however, it is a hard-fork with many API-breaking changes. Some of the more salient changes are as follows: All CDK applications require some form of `Window` implementation in order to function. One can use the build-in `cdk.CWindow` type to construct a basic `Window` object and tie into it's signals in order to render to the canvas and handle events. For this example however, a more formal approach is taken. Starting out with a very slim definition of our custom `Window`, all that's necessary is the embed the concrete `cdk.CWindow` type and proceed with overriding various methods. The `Init` method is not necessary to overload, however, this is a good spot to do any UI initializations or the like. For this demo, the boilerplate minimum is given as an example to start from. The next method implemented is the `Draw` method. This method receives a pre-configured Canvas object, set to the available size of the `Display`. Within this method, the application needs to process as little "work" as possible and focus primarily on just rendering the content upon the canvas. Let's walk through each line of the `Draw` method. This line uses the built-in logging facilities to log an "info" message that the `Draw` method was invoked and let's us know some sort of human-readable description of the canvas (resembles JSON text but isn't really JSON). The advantage to using these built-in logging facilities is that the log entry itself will be prefixed with some extra metadata identifying the particular object instance with a bit of text in the format of "typeName-ID" where typeName is the object's CDK-type and the ID is an integer (marking the unique instance). Within CDK, there is a concept of `Theme`, which really is just a collection of useful purpose-driven `Style`s. One can set the default theme for the running CDK system, however the stock state is either a monochrome base theme or a colorized variant. Some of the rendering functions require `Style`s or `Theme`s passed as arguments and so we're getting that here for later use. Simply getting a `Rectangle` primitive with it's `W`idth and `H`eight values set according to the size of the canvas' internal buffer. `Rectangle` is a CDK primitive which has just two fields: `W` and `H`. Most places where spacial bounds are necessary, these primitives are used (such as the concept of a box `size` for painting upon a canvas). This is the first actual draw command. In this case, the `Box` method is configured to draw a box on the screen, starting at a position of 0,0 (top left corner), taking up the full volume of the canvas, with a border (first boolean `true` argument), ensuring to fill the entire area with the filler rune and style within a given theme, which is the last argument to the `Box` method. On a color-supporting terminal, this will paint a navy-blue box over the entire terminal screen. These few lines of code are merely concatenating a string of `Tango` markup that includes use of ``, ``, ``, and `` tags. All colors have fallback versions and are typically safe even for monochrome terminal sessions. This sets up a variable holding a `Point2I` instance configured for 1/4 of the width into the screen (from the left) and halfway minus one of the height into the screen (from the top). `Point2I` is a CDK primitive which has just two fields: `X` and `Y`. Most places where coordinates are necessary, these primitives are used (such as the concept of an `origin` point for painting upon a canvas). This sets up a variable holding a `Rectangle` configured to be half the size of the canvas itself. This last command within the `Draw` method paints the textual-content prepared earlier onto the canvas provided, center-justified, wrapping on word boundaries, using the default `Normal` theme, specifying that the content is in fact to be parsed as `Tango` markup and finally the content itself. The result of this drawing process should be a navy-blue screen, with a border, and three lines of text centered neatly. The three lines of text should be marked up with bold, italics, underlines and colorization. The last line of text should be telling the current time and date at the time of rendering. The `ProcessEvent` method is the main event handler. Whenever a new event is received by a CDK `Display`, it is passed on to the active `Window` and in this demonstration, all that's happening is a log entry is being made which mentions the event received. When implementing your own `ProcessEvent` method, if the `Display` should repaint the screen for example, one would make two calls to methods on the `DisplayManager`: CDK is a multi-threaded framework and the various `Request*()` methods on the `DisplayManager` are used to funnel requests along the right channels in order to first render the canvas (via `Draw` calls on the active `Window`) and then follow that up with the running `Display` painting itself from the canvas modified in the `Draw` process. The other complete list of request methods is as follows: This concludes the `CdkDemoWindow` type implementation. Now on to using it! The `main()` function within the `_demos/cdk-demo.go` sources is deceptively simple to implement. The bulk of the code is constructing a new CDK `App` instance. This object is a wrapper around the `github.com/urfave/cli/v2` CLI package, providing a tidy interface to managing CLI arguments, help documentation and so on. In this example, the `App` is configured with a bunch of metadata for: the program's name "cdk-demo", a simply usage summary, the current version number, an internally-used tag, a title for the main window and the display is to use the `/dev/tty` (default) terminal device. Beyond the metadata, the final argument is an initialization function. This function receives a fully instantiated and running `Display` instance and it is expected that the application instantiates it's `Window` and sets it as the active window for the given `Display`. In addition to that is one final call to `AddTimeout`. This call will trigger the given `func() cdk.EventFlag` once, after a second. Because the `func()` implemented here in this demonstration returns the `cdk.EVENT_PASS` flag it will be continually called once per second. For this demonstration, this implementation simply requests a draw and show cycle which will cause the screen to be repainted with the current date and time every second the demo application is running. The final bit of code in this CDK demonstration simply passes the arguments provided by the end-user on the command-line in a call to the `App`'s `Run()` method. This will cause the `DisplayManager`, `Display` and other systems to instantiate and begin processing events and render cycles.

v0.0.5 • 4 years ago

rescribe.xyz/bookpipeline

The bookpipeline package contains various tools and functions for the OCR of books, with a focus on distributed OCR using short-lived virtual servers. It also contains several tools that are useful standalone; read the accompanying README for more details. The book pipeline is a way to split the different processes that for book OCR into small jobs, which can be processed when a computer is ready for them. It is currently implemented with Amazon's AWS cloud systems, and can scale from zero to many computers, with jobs being processed faster when more servers are available. Central to the bookpipeline in terms of software is the bookpipeline command, which is part of the rescribe.xyz/bookpipeline package. Presuming you have the go tools installed, you can install it, and useful tools to control the system, with this command: All of the tools provided in the bookpipeline package will give information on what they do and how they work with the '-h' flag, so for example to get usage information on the booktopipeline tool simply run the following: To get the pipeline tools to work for you, you'll need to change the settings in cloudsettings.go, and set up your ~/.aws/credentials appropriately. Most of the time the bookpipeline is expected to be run from potentially short-lived servers on Amazon's EC2 system. EC2 provides servers which have no guaranteed of stability (though in practice they seem to be), called "Spot Instances", which we use for bookpipeline. bookpipeline can handle a process or server being suddenly destroyed without warning (more on this later), so Spot Instances are perfect for us. We have set up a machine image with bookpipeline preinstalled which will launch at bootup, which is all that's needed to launch an bookpipeline instance. Presuming the bookpipeline package has been installed on your computer (see above), the spot instance can be started with the command: You can keep an eye on the servers (spot or otherwise) that are running, and the jobs left to do and in progress, with the "lspipeline" tool (which is also part of the bookpipeline package). It's recommended to use this with the ssh private key for the servers, so that it can also report on what each server is currently doing, but it can run successfully without it. It takes a little while to run, so be patient. It can be run with the command: Spot instances can be terminated with ssh, using their ip address which can be found with lspipeline, like so: The bookpipeline program is run as a service managed by systemd on the servers. The system is fully resiliant in the face of unexpected failures. See the section "How the pipeline works" for details on this. bookpipeline can be managed like any other systemd service. A few examples: Books can be added to the pipeline using the "booktopipeline" tool. This takes a directory of page images as input, and uploads them all to S3, adding a job to the pipeline queue to start processing them. So it can be used like this: Once a book has been finished, it can be downloaded using the "getpipelinebook" tool. This has several options to download specific parts of a book, but the default case will download the best hOCR for each page, PDFs, and the best, conf and graph.png files. Use it like this: To get the plain text from the book, use the hocrtotxt tool, which is part of the rescribe.xyz/utils package. You can get the package, and run the tool, like this: The central part of the book pipeline is several SQS queues, which contain jobs which need to be done by a server running bookpipeline. The exact content of the SQS messages vary according to each queue, as some jobs need more information than others. Each queue is checked at least once every couple of minutes on any server that isn't currently processing a job. When a job is taken from the queue by a process, it is hidden from the queue for 2 minutes so that no other process can take it. Once per minute when processing a job the process sends a message updating the queue, to tell it to keep the job hidden for two minutes. This is called the "heartbeat", as if the process fails for any reason the heartbeat will stop, and in 2 minutes the job will reappear on the queue for another process to have a go at. Once a job is completed successfully it is deleted from the queue. Queue names are defined in cloudsettings.go. queuePreProc Each message in the queuePreProc queue is a bookname, optionally followed by a space and the name of the training to use. Each page of the bookname will be binarised with several different parameters, and then wiped, with each version uploaded to S3, with the path of the preprocessed page, plus the training name if it was provided, will be added to the queueOcrPage queue. The pages are binarised with different parameters as it can be difficult to determine which binarisation level will be best prior to OCR, so several different options are used, and in the queueAnalyse step the best one is chosen, based on the confidence of the OCR output. queueWipeOnly This queue works the same as queuePreProc, except that it doesn't binarise the pages, only runs the wiper. Hence it is designed for books which have been prebinarised. queuePreNoWipe This queue works the same as queuePreProc, except that it doesn'T wipe the pages, only runs the binarisation. It is designed for books which don't have tricky gutters or similar noise around the edges, but do have marginal content which might be inadventently removed by the wiper. queueOcrPage This queue contains the path of individual pages, optionally followed by a space and the name of the training to use. Each page is OCRed, and the results are uploaded to S3. After each page is OCRed, a check is made to see whether all pages that look like they were preprocessed have corresponding .hocr files. If so, the bookname is added to the queueAnalyse queue. queueAnalyse A message on the queueAnalyse queue contains only a book name. The confidences for each page are calculated and saved in the 'conf' file, and the best version of each page is decided upon and saved in the 'best' file. PDFs are then generated, and the confidence graph is generated. The queues should generally only be messed with by the bookpipeline and booktopipeline tools, but if you're feeling ambitious you can take a look at the `addtoqueue` tool. Remember that messages in a queue are hidden for a few minutes when they are read, so for example you couldn't straightforwardly delete a message which was currently being processed by a server, as you wouldn't be able to see it. At present the bookpipeline has some silly limitations of file names for book pages to be recognised. This is something which will be fixed in due course. While bookpipeline was built with cloud based operation in mind, there is also a local mode that can be used to run OCR jobs from a single computer, with all the benefits of preprocessing, choosing the best threshold for each image, graph creation, PDF creation, and so on that the pipeline provides. Several of the commands accept a `-c local` flag for local operation, but now there is also a new command, named rescribe, that is designed to make things much simpler for people just wanting to do some OCR on their local computer. Note that the local mode is not as well tested as the core cloud modes; please report any bugs you find with it.

v1.3.0 • last year

github.com/Ambrevar/Demlo

A dynamic and extensible music library organizer Demlo is a music library organizer. It can encode, fix case, change folder hierarchy according to tags or file properties, tag from an online database, copy covers while ignoring duplicates or those below a quality threshold, and much more. It makes it possible to manage your libraries uniformly and dynamically. You can write your own rules to fit your needs best. Demlo aims at being as lightweight and portable as possible. Its major runtime dependency is the transcoder FFmpeg. The scripts are written in Lua for portability and speed while allowing virtually unlimited extensibility. Usage: For usage options, see: First Demlo creates a list of all input files. When a folder is specified, all files matching the extensions from the 'extensions' variable will be appended to the list. Identical files are appended only once. Next all files get analyzed: - The audio file details (tags, stream properties, format properties, etc.) are stored into the 'input' variable. The 'output' variable gets its default values from 'input', or from an index file if specified from command-line. If no index has been specified and if an attached cuesheet is found, all cuesheet details are appended accordingly. Cuesheet tags override stream tags, which override format tags. Finally, still without index, tags can be retrieved from Internet if the command-line option is set. - If a prescript has been specified, it gets executed. It makes it possible to adjust the input values and global variables before running the other scripts. - The scripts, if any, get executed in the lexicographic order of their basename. The 'output' variable is transformed accordingly. Scripts may contain rules such as defining a new file name, new tags, new encoding properties, etc. You can use conditions on input values to set the output properties, which makes it virtually possible to process a full music library in one single run. - If a postscript has been specified, it gets executed. It makes it possible to adjust the output of the script for the current run only. - Demlo makes some last-minute tweaking if need be: it adjusts the bitrate, the path, the encoding parameters, and so on. - A preview of changes is displayed. - When applying changes, the covers get copied if required and the audio file gets processed: tags are modified as specified, the file is re-encoded if required, and the output is written to the appropriate folder. When destination already exists, the 'exist' action is executed. The program's default behaviour can be changed from the user configuration file. (See the 'Files' section for a template.) Most command-line flags default value can be changed. The configuration file is loaded on startup, before parsing the command-line options. Review the default value of the CLI flags with 'demlo -h'. If you wish to use no configuration file, set the environment variable DEMLORC to ".". Scripts can contain any safe Lua code. Some functions like 'os.execute' are not available for security reasons. It is not possible to print to the standard output/error unless running in debug mode and using the 'debug' function. See the 'sandbox.go' file for a list of allowed functions and variables. Lua patterns are replaced by Go regexps. See https://github.com/google/re2/wiki/Syntax. Scripts have no requirements at all. However, to be useful, they should set values of the 'output' table detailed in the 'Variables' section. You can use the full power of the Lua to set the variables dynamically. For instance: 'input' and 'output' are both accessible from any script. All default functions and variables (excluding 'output') are reset on every script call to enforce consistency. Local variables are lost from one script call to another. Global variables are preserved. Use this feature to pass data like options or new functions. 'output' structure consistency is guaranteed at the start of every script. Demlo will only extract the fields with the right type as described in the 'Variables' section. Warning: Do not abuse of global variables, especially when processing non-fixed size data (e.g. tables). Data could grow big and slow down the program. By default, when the destination exists, Demlo will append a suffix to the output destination. This behaviour can be changed from the 'exist' action specified by the user. Demlo comes with a few default actions. The 'exist' action works just like scripts with the following differences: - Any change to 'output.path' will be skipped. - An additional variable is accessible from the action: 'existinfo' holds the file details of the existing files in the same fashion as 'input'. This allows for comparing the input file and the existing destination. The writing rules can be tweaked the following way: Word of caution: overwriting breaks Demlo's rule of not altering existing files. It can lead to undesired results if the overwritten file is also part of the (yet to be processed) input. The overwrite capability can be useful when syncing music libraries however. The user scripts should be generic. Therefore they may not properly handle some uncommon input values. Tweak the input with temporary overrides from command-line. The prescript and postscript defined on command-line will let you run arbitrary code that is run before and after all other scripts, respectively. Use global variables to transfer data and parameters along. If the prescript and postscript end up being too long, consider writing a demlo script. You can also define shell aliases or use wrapper scripts as convenience. The 'input' table describes the file: Bitrate is in bits per seconds (bps). That is, for 320 kbps you would specify The 'time' is the modification time of the file. It holds the sec seconds and nsec nanoseconds since January 1, 1970 UTC. The entry 'streams' and 'format' are as returned by It gives access to most metadata that FFmpeg can return. For instance, to get the duration of the track in seconds, query the variable 'input.format.duration'. Since there may be more than one stream (covers, other data), the first audio stream is assumed to be the music stream. For convenience, the index of the music stream is stored in 'audioindex'. The tags returned by FFmpeg are found in streams, format and in the cuesheet. To make tag queries easier, all tags are stored in the 'tags' table, with the following precedence: You can remove a tag by setting it to 'nil' or the empty string. This is equivalent, except that 'nil' saves some memory during the process. The 'output' table describes the transformation to apply to the file: The 'parameters' array holds the CLI parameters passed to FFmpeg. It can be anything supported by FFmpeg, although this variable is supposed to hold encoding information. See the 'Examples' section. The 'embeddedcovers', 'externalcovers' and 'onlinecover' variables are detailed in the 'Covers' section. The 'write' variable is covered in the 'Existing destination' section. The 'rmsrc' variable is a boolean: when true, Demlo removes the source file after processing. This can speed up the process when not re-encoding. This option is ignored for multi-track files. For convenience, the following shortcuts are provided: Demlo provides some non-standard Lua functions to ease scripting. Display a message on stderr if debug mode is on. Return lowercase string without non-alphanumeric characters nor leading zeros. Return the relation coefficient of the two input strings. The result is a float in 0.0...1.0, 0.0 means no relation at all, 1.0 means identical strings. A format is a container in FFmpeg's terminology. 'output.parameters' contains CLI flags passed to FFmpeg. They are meant to set the stream codec, the bitrate, etc. If 'output.parameters' is {'-c:a', 'copy'} and the format is identical, then taglib will be used instead of FFmpeg. Use this rule from a (post)script to disable encoding by setting the same format and the copy parameters. This speeds up the process. The official scripts are usually very smart at guessing the right values. They might make mistakes however. If you are unsure, you can (and you are advised to) preview the results before proceeding. The 'diff' preview is printed to stderr. A JSON preview of the changes is printed to stdout if stdout is redirected. The initial values of the 'output' table can be completed with tags fetched from the MusicBrainz database. Audio files are fingerprinted for the queries, so even with initially wrong file names and tags, the right values should still be retrieved. The front album cover can also be retrieved. Proxy parameters will be fetched automatically from the 'http_proxy' and 'https_proxy' environment variables. As this process requires network access it can be quite slow. Nevertheless, Demlo is specifically optimized for albums, so that network queries are used for only one track per album, when possible. Some tracks can be released on different albums: Demlo tries to guess it from the tags, but if the tags are wrong there is no way to know which one it is. There is a case where the selection can be controlled: let's assume we have tracks A, B and C from the same album Z. A and B were also released in album Y, whereas C was release in Z only. Tags for A will be checked online; let's assume it gets tagged to album Y. B will use A details, so album Y too. Then C does not match neither A's nor B's album, so another online query will be made and it will be tagged to album Z. This is slow and does not yield the expected result. Now let's call Tags for C will be queried online, and C will be tagged to Z. Then both A and B will match album Z so they will be tagged using C details, which is the desired result. Conclusion: when using online tagging, the first argument should be the lesser known track of the album. Demlo can set the output variables according to the values set in a text file before calling the script. The input values are ignored as well as online tagging, but it is still possible to access the input table from scripts. This 'index' file is formatted in JSON. It corresponds to what Demlo outputs when printing the JSON preview. This is valid JSON except for the missing beginning and the missing end. It makes it possible to concatenate and to append to existing index files. Demlo will automatically complete the missing parts so that it becomes valid JSON. The index file is useful when you want to edit tags manually: You can redirect the output to a file, edit the content manually with your favorite text editor, then run Demlo again with the index as argument. See the 'Examples' section. This feature can also be used to interface Demlo with other programs. Demlo can manage embedded covers as well as external covers. External covers are queried from files matching known extensions in the file's folder. Embedded covers are queried from static video streams in the file. Covers are accessed from The embedded covers are indexed numerically by order of appearance in the streams. The first cover will be at index 1 and so on. This is not necessarily the index of the stream. 'inputcover' is the following structure: 'format' is the picture format. FFmpeg makes a distinction between format and codec, but it is not useful for covers. The name of the format is specified by Demlo, not by FFmpeg. Hence the 'jpeg' name, instead of 'mjpeg' as FFmpeg puts it. 'width' and 'height' hold the size in pixels. 'checksum' can be used to identify files uniquely. For performance reasons, only a partial checksum is performed. This variable is typically used for skipping duplicates. Cover transformations are specified in 'outputcover' has the following structure: The format is specified by FFmpeg this time. See the comments on 'format' for 'inputcover'. 'parameters' is used in the same fashion as 'output.parameters'. User configuration: This must be a Lua file. See the 'demlorc' file provided with this package for an exhaustive list of options. Folder containing the official scripts: User script folder: Create this folder and add your own scripts inside. This folder takes precedence over the system folder, so scripts with the same name will be found in the user folder first. The following examples will not proceed unless the '-p' command-line option is true. Important: you _must_ use single quotes for the runtime Lua command to prevent expansion. Inside the Lua code, use double quotes for strings and escape single quotes. Show default options: Preview changes made by the default scripts: Use 'alternate' script if found in user or system script folder (user folder first): Add the Lua file to the list of scripts. This feature is convenient if you want to write scripts that are too complex to fit on the command-line, but not generic enough to fit the user or system script folders. Remove all script from the list, then add '30-case' and '60-path' scripts. Note that '30-case' will be run before '60-path'. Do not use any script but '60-path'. The file content is unchanged and the file is renamed to a dynamically computed destination. Demlo performs an instant rename if destination is on the same device. Otherwise it copies the file and removes the source. Use the default scripts (if set in configuration file), but do not re-encode: Set 'artist' to the value of 'composer', and 'title' to be preceded by the new value of 'artist', then apply the default script. Do not re-encode. Order in runtime script matters. Mind the double quotes. Set track number to first number in input file name: Use the default scripts but keep original value for the 'artist' tag: 1) Preview default scripts transformation and save it to an index. 2) Edit file to fix any potential mistake. 3) Run Demlo over the same files using the index information only. Same as above but generate output filename according to the custom '61-rename' script. The numeric prefix is important: it ensures that '61-rename' will be run after all the default tag related scripts and after '60-path'. Otherwise, if a change in tags would occur later on, it would not affect the renaming script. Retrieve tags from Internet: Same as above but for a whole album, and saving the result to an index: Only download the cover for the album corresponding to the track. Use 'rmsrc' to avoid duplicating the audio file. Change tags inplace with entries from MusicBrainz: Set tags to titlecase while casing AC-DC correctly: To easily switch between formats from command-line, create one script per format (see 50-encoding.lua), e.g. ogg.lua and flac.lua. Then Add support for non-default formats from CLI: Overwrite existing destination if input is newer: ffmpeg(1), ffprobe(1), http://www.lua.org/pil/contents.html

v3.7.1+incompatible • 8 years ago

github.com/Jung-kurt/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF, TIFF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates • Barcodes gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. In particular, languages that require more than one code page such as Chinese, Japanese, and Arabic are not currently supported. This is explained in issue 109. However, support is provided to automatically translate UTF-8 runes to code page encodings for languages that have fewer than 256 glyphs. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory. The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Jelmer Snoek and Guillermo Pascual augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Paulo Coutinho provided support for static embedded fonts. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retrieved with the output call where it can be handled by the application.

v1.16.2 • 6 years ago

github.com/H0llyW00dzZ/fiber2fa

Package twofa provides a middleware for implementing two-factor authentication (2FA) in a Fiber application. It supports time-based one-time password (TOTP) authentication using the HMAC-based One-Time Password (HOTP) algorithm. To use this middleware in a Fiber project, Go must be installed and set up. 1. Install the package using Go modules: 2. Import the package in the Fiber application: To use the 2FA middleware in a Fiber application, create a new instance of the middleware with the desired configuration and register it with the application. Note: This 2FA middleware requires c.Locals to be set before using it. Use the fiber.Ctx.Locals middleware to set c.Locals. In the example above, the fiber.Locals middleware is used to set c.Locals with the "email" key and the corresponding value. This value can be accessed in the 2FA middleware using the ContextKey specified in the configuration. The 2FA middleware is then created with a configuration that specifies the issuer name, context key, and storage provider. The 2FA middleware accepts a twofa.Config struct for configuration. The available options are: The 2FA middleware requires a storage provider to store the 2FA information for each user. The storage provider should implement the fiber.Storage interface. You can use any storage provider that implements the fiber.Storage interface, such as: The 2FA information is stored in the storage using the ContextKey as the unique identifier. The ContextKey is bound to the raw value (2FA information) in the storage. The 2FA middleware provides a route for generating QR codes that can be scanned by authenticator apps to set up 2FA for a user. By default, the QR code generation route is accessible at "/2fa/register?account=<account_name>". You can customize the path template by modifying the PathTemplate field in the twofa.QRCodeConfig struct. The QR code image can be customized by providing a custom image in the Image field of the twofa.QRCodeConfig struct. If a custom image is provided, it will be used as the background image for the QR code. The content of the QR code can be customized by modifying the Content field in the twofa.QRCodeConfig struct. The default content format is "otpauth://totp/%s:%s?secret=%s&issuer=%s". The 2FA middleware allows generating custom QR code images for use with custom mobile apps or physical devices. This feature provides flexibility in integrating 2FA with custom cryptography and scanning mechanisms. To generate a custom QR code image, provide a custom image in the Image field of the twofa.QRCodeConfig struct. The custom image should be of type image.Image. When a custom image is provided, the middleware will generate a QR code and overlay it on top of the custom image. The resulting QR code image can be scanned by a custom mobile app or physical device that supports QR code scanning. By using a custom QR code image, it's possible to incorporate custom branding, design, or additional information into the QR code. This allows creating a seamless and integrated 2FA experience for users. Additionally, custom cryptography techniques can be leveraged to secure the QR code data. Instead of using the default TOTP algorithm, custom encryption and decryption mechanisms can be implemented to protect the shared secret and other sensitive information embedded in the QR code. Furthermore, the custom QR code image generation feature enables extending 2FA beyond mobile apps. The QR code can be bound to physical devices or objects that have scanning capabilities, such as smart cards, badges, or dedicated hardware tokens. This provides an additional layer of security and convenience for users who prefer physical authentication methods. To implement custom QR code image generation, follow these steps: By leveraging custom QR code image generation, it's possible to create a unique and secure 2FA experience tailored to specific requirements and user preferences. The 2FA middleware handles errors internally and returns appropriate HTTP status codes and error messages. If an error occurs during the 2FA process, the middleware will return a response with a status code of 401 (Unauthorized) or 500 (Internal Server Error), depending on the nature of the error. The error messages are sent in the specified response format (MIME type) configured in the ResponseMIME field of the twofa.Config struct. The default response format is plain text (fiber.MIMETextPlainCharsetUTF8). You can customize the error handling by providing custom handlers for unauthorized and internal server errors using the UnauthorizedHandler and InternalErrorHandler fields in the twofa.Config struct. The 2FA middleware defines several error variables that represent different types of errors that can occur during the 2FA process. These error variables are: These error variables are used by the middleware to provide meaningful error messages when errors occur during the 2FA process. You can skip the 2FA middleware for certain routes by specifying the paths in the SkipCookies field of the twofa.Config struct. Additionally, you can provide a custom function in the Next field of the twofa.Config struct to determine whether to skip the 2FA middleware for a given request. If the function returns true, the middleware will be skipped. The 2FA middleware uses the twofa.Info struct to manage the 2FA information for each user. The twofa.Info struct implements the twofa.InfoManager interface, which defines methods for accessing and modifying the 2FA information. The twofa.Info struct contains the following fields: The twofa.InfoManager interface provides methods for accessing and modifying these fields. The 2FA middleware uses cookies to store the 2FA validation status for each user. The cookie-related configurations can be customized using the following fields in the twofa.Config struct: The middleware generates a signed cookie value using HMAC to ensure the integrity of the cookie. The cookie value contains the expiration time of the cookie. The 2FA middleware verifies the TOTP token provided by the user during the 2FA process. The token can be extracted from various sources such as query parameters, form data, cookies, headers, or URL parameters. The token lookup configuration is specified using the TokenLookup field in the twofa.Config struct. It follows the format "<source>:<name>", where <source> can be "query", "form", "cookie", "header", or "param", and <name> is the name of the parameter or key. If a valid token is provided, the middleware sets a 2FA cookie to indicate that the user has successfully completed the 2FA process. The cookie value is generated using the twofa.Middleware.GenerateCookieValue function, which signs the cookie value using HMAC. The 2FA middleware generates a unique identifier for each 2FA registration. The identifier is used to associate the 2FA information with a specific user or account. By default, the middleware uses the github.com/gofiber/utils.UUIDv4 function to generate a random UUID as the identifier. The identifier generation can be customized by providing a custom function in the IdentifierGenerator field of the twofa.Config struct. The custom function should take a *fiber.Ctx as a parameter and return a string identifier. The generated identifier is stored in the twofa.Info struct and can be accessed using the twofa.Info.GetIdentifier method. In the example above, the customIdentifierGenerator function is provided as the value for the IdentifierGenerator field in the twofa.Config struct. This function will be called by the middleware to generate the identifier for each 2FA registration. The custom identifier generator function can access the request context through the *fiber.Ctx parameter and generate the identifier based on any relevant information available in the context, such as user ID, email, or any other unique attribute. Providing a custom identifier generator allows for the flexibility to generate identifiers that are specific to the application's requirements and ensures uniqueness and compatibility with the existing user or account management system. Note: If the IdentifierGenerator field is not provided or set to nil, the middleware will use the default identifier generator, which generates a random UUID using github.com/gofiber/utils.UUIDv4.

v0.10.3 • last year

github.com/ejfhp/gofpdf/v2

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. - UTF-8 support - Choice of measurement unit, page format and margins - Page header and footer management - Automatic page breaks, line breaks, and text justification - Inclusion of JPEG, PNG, GIF, TIFF and basic path-only SVG images - Colors, gradients and alpha channel transparency - Outline bookmarks - Internal and external links - TrueType, Type1 and encoding support - Page compression - Lines, Bézier curves, arcs, and ellipses - Rotation, scaling, skewing, translation, and mirroring - Clipping - Document protection - Layers - Templates - Barcodes - Charting facility - Import PDFs as templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. gofpdf supports UTF-8 TrueType fonts and “right-to-left” languages. Note that Chinese, Japanese, and Korean characters may not be included in many general purpose fonts. For these languages, a specialized font (for example, NotoSansSC for simplified Chinese) can be used. Also, support is provided to automatically translate UTF-8 runes to code page encodings for languages that have fewer than 256 glyphs. This repository will not be maintained, at least for some unknown duration. But it is hoped that gofpdf has a bright future in the open source world. Due to Go’s promise of compatibility, gofpdf should continue to function without modification for a longer time than would be the case with many other languages. Forks should be based on the last viable commit. Tools such as active-forks can be used to select a fork that looks promising for your needs. If a particular fork looks like it has taken the lead in attracting followers, this README will be updated to point people in that direction. The efforts of all contributors to this project have been deeply appreciated. Best wishes to all of you. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running go test ./... is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you’ll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory and if the third argument to ComparePDFFiles() in internal/example/example.go is true. (By default it is false.) The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). You should use AddUTF8Font() or AddUTF8FontFromBytes() to add a TrueType UTF-8 encoded font. Use RTL() and LTR() methods switch between “right-to-left” and “left-to-right” mode. In order to use a different non-UTF-8 TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run “go build”. This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include Google Fonts and DejaVu Fonts. The draw2d package is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the contrib directory. Here are guidelines for making submissions. Your change should - be compatible with the MIT License - be properly documented - be formatted with go fmt - include an example in fpdf_test.go if appropriate - conform to the standards of golint and go vet, that is, golint . and go vet . should not generate any warnings - not diminish test coverage Pull requests are the preferred means of accepting your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package’s code and documentation are closely derived from the FPDF library created by Olivier Plathey, and a number of font and image resources are copied directly from it. Bruno Michel has provided valuable assistance with the code. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image’s extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Jelmer Snoek and Guillermo Pascual augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Paulo Coutinho provided support for static embedded fonts. Dan Meyers added support for embedded JavaScript. David Fish added a generic alias-replacement function to enable, among other things, table of contents functionality. Andy Bakun identified and corrected a problem in which the internal catalogs were not sorted stably. Paul Montag added encoding and decoding functionality for templates, including images that are embedded in templates; this allows templates to be stored independently of gofpdf. Paul also added support for page boxes used in printing PDF documents. Wojciech Matusiak added supported for word spacing. Artem Korotkiy added support of UTF-8 fonts. Dave Barnes added support for imported objects and templates. Brigham Thompson added support for rounded rectangles. Joe Westcott added underline functionality and optimized image storage. Benoit KUGLER contributed support for rectangles with corners of unequal radius, modification times, and for file attachments and annotations. - Remove all legacy code page font support; use UTF-8 exclusively - Improve test coverage as reported by the coverage tool. Example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retrieved with the output call where it can be handled by the application.

v2.18.2 • 4 years ago

github.com/telekom-security/gofpdf

v1.17.0 • 4 years ago

github.com/telekom-security/gofpdf/v3

v3.1.1 • 4 years ago

github.com/jung-kurt/caddy-pubsub

Package pubsub implements a longpoll-based publish and subscribe middleware for Caddy, a modern, full-featured, easy-to-use web server. This plugin lets you easily push event notifications to any practical number of web clients. To publish an event, post content that includes a category and body to the “publish” URL configured in the Caddyfile. To subscribe to published events, simply connect your web client to the “subscribe” URL configured in the Caddyfile. To manage the subscription connection, include the small, dependency-free file ps.js in your web application and use the non-blocking methods of a Subscriber instance. This plugin uses longpolling (specifically, golongpoll) to connect clients to the server. The advantages of this are significant. Longpoll connections - are straightforward HTTP/HTTPS - are not thwarted by firewalls and proxies - are supported by virtually all browsers Additionally, this plugin provides a simple web-based interface to publish events, so any software capable of posting content to the Caddy server, such as wget and web browsers, can dispatch information to listening clients. This flexibility allows short-lived applications, such as crontab scripts and CGI scripts, to publish events that are of interest to subscribing web clients. On the downside, longpoll connections are one-direction only. Published events flow only from the server to clients. However, because of this plugin’s simple publishing interface, a web client that receives an event can immediately publish its own response. As with websockets, longpolling requires special care to protect both the server and all connected clients. LONGPOLLING CONSUMES RESOURCES ON THE SERVER. Too many connections to clients can impact server operations. It is important to protect the configured “subscribe” path with some form of authentication such as basic authentication or JWT in order to manage the number of connections that your system will maintain. Be sure to use HTTPS! PUBLISHED EVENTS CAN INSTANTLY REACH A LARGE NUMBER OF CLIENTS. Be sure to require authorization in order to access the configured “publish” path to prevent rogue publishers from dispatching unexpected content to clients or flooding the subscription channels. The basic pubsub directive lets you specify a “publish” path and a corresponding “subscribe” path. This directive can be repeated. Each pubsub block is managed by its own longpoll instance so categories are effectively scoped by directive. For example: The specified paths are virtual; they do not refer to any filesystem resources. When the Caddy server receives a call that matches the publish_path URL, the pubsub plugin responds by checking the request for the url-encoded form fields “category” and “body”. If these form values are sent to the server in a POST request rather than included in the tail of the URL in a GET request, the Content-Type must be “application/x-www-form-urlencoded”. The body value is then dispatched verbatim to all clients that are currently subscribed to the specified category. Structured data is easily dispatched by sending a JSON-encoded value. At its simplest, a publish call might look like In this example, the body “Hello world” is dispatched to all subscribers of the “team” category. When the Caddy server receives a call that matches the subscribe_path URL, the pubsub plugin keeps the connection alive until a publication event of the correct category is returned or the configured time limit is reached. In either case, the client then makes another similar request of the server. This cycle continues until the client page is dismissed. When the longpoll instance detects that the client is no longer responsive it gracefully drops the client from its subscription list. The basic syntax shown above is likely all you will need to configure the pubsub plugin. If some control over the underlying golongpoll package is needed, you can use all or part of the advanced syntax shown here. Any missing fields are replaced with their default values; see the golongpoll documentation for more details. The MaxLongpollTimeoutSeconds subdirective specifies the maximum number of seconds that the longpoll server will keep a client connection alive. The MaxEventBufferSize subdirective specifies the maximum number of events of a particular category that will be kept by the longpoll server. Beyond this limit, events will be dropped even if they have not expired. The EventTimeToLiveSeconds subdirective specifies how long events will be retained by the longpoll server. If the DeleteEventAfterFirstRetrieval subdirective is present then events will be deleted right after they have been dispatched to current subscribers. Here is a sample Caddyfile that can be modified for use in the following example: - Obtain or build a Caddy web server with the pubsub plugin. - Create an example directory and download the files in the repository example directory to it. Make this your default working directory. - Edit the file named Caddyfile. Modify the site address to an appropriate local network address. Ideally, you will use an address that can be accessed from a number of devices on your network. (A local interface, such as 127.0.0.5, will work, but then you will have to simulate multiple devices by opening multiple tabs in your browser.) You may wish to use a non-standard port if you need to avoid interfering with another server. HTTP is used here for the purposes of a local, insecure demonstration. USE HTTPS IN PRODUCTION. The Caddyfile has values for the authorization fields and paths that are used as defaults in the example script, so leaving them as they are will simplify the demonstration. - Launch the Caddy web server from the directory that contains your example Caddyfile. The command might be simply caddy or, if the caddy executable you wish to run is not on the default search path, you will need to qualify the name with its location. - Access the server with the web browsers of a number of devices. Alternatively, open a number of tabs in a single browser and point them to the server. - On each open page, click the “Configure” button and make appropriate changes. Most fields, such as “Auth password” and “URL” are pre-filled to match the values in the sample Caddyfile. You may enter a name in the “Publisher name” field or leave it empty. A blank value will be replaced with a random name like “user_42” the first time you publish an event. - On each open page, click the “Run” button and then the “Start” button. Simulate the publication of events by clicking the “A”, “B”, and “C” buttons from various devices or tab pages. Additionally, you may click the “Auto start” button. This will begin an automatic sequence in which an event is published at random intervals. Published events will be sent to the web server and dispatched to all subscribing pages. These events will be displayed beneath the buttons in a list. A page can publish events even if it does not subscribe to them. The JavaScript file ps.js is included in the example shown above. This script may be included in a web page with the following line: The script is small and dependency-free and should be easy to modify if needed. Within your application code, instantiate a Subscriber instance as follows: The parameters are: - category: a short string that identifies the event category to which to subscribe - url: the subscribe_path configured in the Caddyfile (in the example above, this is “/psdemo/subscribe”) - callback: this is a function that is called (with the published body and server timestamp) for each event of the specified category - authorization: a string like “Basic c3Vic2NyaWJlOjEyMw==” that will be sent as an authorization header. - options: an object that contains the fields timeout (seconds, default 45), successDelay (milliseconds, default 10), errorDelay (milliseconds, default 3000), and json (boolean, true if event bodies are JSON-encoded and should be automatically decoded, default false). More details can be found in the comments in the ps.js file. To start the subscription, call To end the subscription, call Publish an event as follows: The parameters are: - category: a short string that identifies the event category of the published event - url: the publish_path configured in the Caddyfile (in the example above, this is “/psdemo/publish”) - body: this is the text that will be dispatched to all subscribers of events with the specified category; this text is often a JSON-encoded object - authorization: a string like “Basic cHVibGlzaDoxMjM=” that will be sent as an authorization header. A variation of the ps.publish() function is In this case, body can be any JSON-encodable value such as an array or an object. When subscribing to events that are published this way, it is convenient to set the “json” field of the options argument of ps.Subscriber() to true so that the event body is automatically decoded.

v0.5.6 • 6 years ago

github.com/jorgeadev/gofpdf

v1.16.2 • 6 years ago

github.com/sprucehealth/gofpdf

v0.0.0-20140812012239-a74eac85e1b7 • 11 years ago

github.com/queueup-dev/gofpdf

v1.16.3 • 4 years ago

github.com/saisiyun/gofpdf

v1.16.2 • 6 years ago

github.com/ycabrer/evapi-golang

* ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git) * ExaVault API * * # Introduction Welcome to the ExaVault API documentation. Our API lets you control nearly all aspects of your ExaVault account programatically, from uploading and downloading files to creating and managing shares and notifications. Capabilities of the API include - Uploading and downloading files. - Managing files and folders, including standard operations like move, copy and delete. - Getting information about activity occuring in your account. - Creating, updating and deleting users. - Creating and managing shares, including download-only shares and receive folders. - Setting up and managing notifications. The ExaVault API v2.0 is a RESTful API using JSON. ## The API URL You will access your account from your server address. For example, if your account is available at exampleaccount.exavault.com, you'll connect to the API at https://exampleaccount.exavault.com/api/v2 # Obtaining Your API Key and Access Token Account admins can create API Keys and personal access tokens within the ExaVault File Manager web application. ## Create an API Key 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 2. Click on the **My Account** option in the left-hand sidebar 3. Click on the **Developer** tab 4. Click the + button next to the table of API Keys to create a new key 5. Enter a name that will uniquely identify connections using this key. This name will appear in your activity session logs. 6. Enter a description with any other information that you need to track the purpose of your API key 7. Save the new key As soon as you save a new API key, you'll be prompted to create a personal access token which will allow a specific user to connect via the API using that API key (jump to step 5 in the instructions below) ## Generate an Access Token 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **My Account** option in the left-hand sidebar 1. Click on the **Developer** tab 1. Click the + button next to the table of Access Tokens to create a new token 1. Select the API Key from the first dropdown. 1. Select the user who will use this token from the second dropdown. 1. Click the **GENERATE TOKEN** button The confirmation popup will display your API key and your access token. **Copy this access token to a safe location (such as a password vault) immediately.** Once you close this popup, you will not be able to see the token again. After you have saved your token securely, click CLOSE to close the popup. The access token you have created will allow any program using that token and its API key to masquerade as the associated user. You should keep the token safe. # Authentication The ExaVault API uses the combination of an API key and a persistent access token to authenticate a user. Both the API key and the access token can be created by an admin-level user Each request made to the API must include 2 headers | Header Name | Contains | | --- | :---: | | **ev-api-key** | Your API key | | **ev-access-token** | Your access token | The access token uniquely identifies the user account for the connection. You should keep this token secure. # HTTP Status Codes The ExaVault API v2.0 is RESTful and returns appropriate HTTP status codes in its responses **Success Statuses:** | Status | Notes | | --- | :---: | | 200 | Successful operation | | 201 | Successful creation operation | | 207 | Multiple operation status | **Request Error Statuses:** | Status | Notes | | --- | :---: | | 400 | Bad Request | | 401 | Unauthorized | | 403 | Forbidden | | 404 | Not Found* | | 429 | Too many requests | **Server Error Statuses:** | Status | Notes | | --- | --- | | 500 | Server Error | | 503 | Service unavailable | # Response Format Nearly every response from the server will be a JSON object, which will contain a `responseStatus` attribute that matches the HTTP status of the response. Most succesful responses will also include a `data` attribute that contains the data related to your request. For instance using GET /account will return the information for the account associated with your API key and access token. ## Error Responses Error responses will have a similar format. The response will contain a `responseStatus` which contains the HTTP status code and an `errors` array, which will contain pertinent errors for the request. Each object in the `errors` array will contain a human-readable `code` and some explanatory `detail` text. ## Common Errors As you work with our suite of APIs, you'll likely encounter one or more of these error codes throughout the process. Let's take a look at some of the most common errors and how to resolve them quickly and painlessly. ### 400 Error - Bad Request: ```json { \"responseStatus\":400, \"errors\":[ { \"code\":\"ERROR_INVALID_PARAMETER\", \"detail\":\"Destination path cannot be an existing folder.\" } ] } ``` ```json { \"responseStatus\": 400, \"errors\": [ { \"code\": \"ERROR_INVALID_PASSWORD\", \"detail\": \"Password must be longer than eight (8) characters and contain one uppercase letter, one lowercase letter, and one number.\" } ] } ``` This error will generally mean a paramater or body element is invalid or missing. We suggest taking another look at the documentation of the API endpoint you're hitting to double check for; missing required fields in the request, spelling errors, invalid values be used. The error messaging returned should point you exactly to what you need to correct to avoid going through trial and error. ### 401 Error - Unauthorized ```json { \"responseStatus\": 401, \"errors\": [ { \"code\": \"ERROR_INVALID_CREDENTIALS\", \"detail\": \"HTTP_UNAUTHORIZED\" } ] } ``` If you encounter a 401, it means we're not recognizing the credentials you're attempting to authenticate with. To resolve the issue; 1. Double check that your credenitals (API Key and Access Token) are correct. 2. Creating a second set of credentials (see \"Obtaining Your API Key and Access Token\" above) and attempt the call again. 3. If you're able to successfully make a call, regenerate the Access Token of the first user and try the call one last time. If you're still encountering a 401, contact us for help. ### 403 Error - Forbidden ```json { \"responseStatus\": 403, \"errors\": [ { \"code\": \"ERROR_INSUFFICIENT_PRIVILEGES\", \"detail\": \"An error occurred\" } ] } ``` Similarly to a 401, you'll be unable to complete an API call if you encounter this error. Unlike a 401, your credentials were authenticated, but the authenticated user does not have permission to perform the action you're attempting. To resolve the issue you can either; - Execute the call using an master user's credentials. - Log in to the ExaVault File Manager OR use the **PATCH /updateUser** endpoint to update the user's permissions. ### 404 Error - Not Found ```json { \"responseStatus\": 404, \"errors\": [ { \"code\": \"ERROR_SHARE_NOT_FOUND\", \"detail\": \"Share not found\" } ] } ``` Encountering a 404 error means whatever type of resource you're attempting to find or update; isn't being found. Usually, this is just a case of using the wrong ID when using a call, and can be resolved by fixing the ID on your call. If the ID on the call appears to be correct we recommend taking the following steps: - Attempt a more generic GET call to get a list of the type of resource you're looking for to see if you can find the ID you're looking for. - Check your activity logs to see if what you're looking for was recently deleted. # Identifying Resources Many API methods require you to provide one or more resources, which may be expressed as paths, ids, hashes, or some combination of the three (for calls that act upon multiple resources). To specify a resource by path, provide a fully qualified string to the resource _relative to the associated user's home directory_. This path will always begin with a forward slash. Only forward slash characters may be used to separate the folders within a path string. To specify a resource by ID, you'll need to obtain that ID from some other API method first. For example, **GET /resources/list** will return a list of resources in your account along with their IDs. Once you have the ID of that resource, append it to the string \"id:\" to specify that resource, such as `id:124447`. IDs are always whole-number numeric values. To specify a resource by hash, first obtain the hash from another API method. Once you have the hash representing the resource, append it to the string \"hash:\" to specify that resource, such as `hash:3a1597ca982231f6666c75bcc2bd9c85` to indicate the resource with the hash value **3a1597ca982231f6666c75bcc2bd9c85**. Hashes are always an alphanumeric sequence without any special characters or punctuation. ## Paths and Home Folders Users with different home folders will use different paths to refer to the same resource. As an example, suppose there is a file located at **_/Data/Production/Inbound/1595978053_G12.xml**. For an admin-level user, or any user whose home folder permits them access to the entire account, the path for that resource is **_/Data/Production/Inbound/1595978053_G12.xml**. For a user whose home folder is **_/Data/Production/_**, the path to the file becomes **_/Inbound/1595978053_G12.xml** # Transaction Limits The daily transaction limit restricts the overall number of operations you can perform in a 24-hour period in your ExaVault account. Those transactions could be file uploads, file downloads, making a shared folder, creating a user, deleting files, to name a few examples. All operations performed in your account count against the total daily transactions for your account, including: - FTP/SFTP operations - Actions by users who are logged into your web interface - Interacting with Receive folders - Receiving files through Send files and Shared Folders - Accessing files shared through direct links - API access from any user using any of the API keys for your account Each request sent to the API is one transaction. When your account has exceeded its rolling 24-hour rate limit, new operations will become available once the number of operations in the past 24-hours is below your daily rate limit. The response status of rate-limited API operations will be **429**. ## Rate Limit Headers To monitor your daily account transaction usage, the response object returned by the server for all API requests will include these custom headers: - **X-RateLimit-Limit** indicates the total number of operations permitted within a rolling 24-hour period across your entire account. This number is dependent upon the plan your account is subscribed to, and whether you have an enterprise agreement in place. - **X-RateLimit-Remaining** indicates the number of operations currently remaning to you at that moment in time. # Webhooks ExaVault provides a webhook system for notifying you of changes to your account. The webhook sender will send a POST request to an endpoint you have specified whenever certain actions happen within your account. Account administrators can change these settings within the ExaVault File Manager. Webhooks will attempt to send a message up to 8 times with increasing timeouts between each attempt. All webhook requests are tracked in the webhooks log within the ExaVault File Manager web interface. ## Configuring Webhooks 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password. 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Add the URL where your webhook listener can receive requests 1. Check the boxes for the actions which should trigger your webhook. 1. Scroll to the bottom of the page to click SAVE SETTINGS. ## Verification Signature When you configure a webhook endpoint and triggering actions, a Verification Token will be displayed below the webhook endpoint URL. You may use this token in combination with the X-Exavault-Signature header to verify that ExaVault is the sender of the webhook request. ## Comparing the Signature You'll can use this 3-step procedure to validate an individual webhook request to ensure it was sent by ExaVault. **1: Get Verification Token** In order to verify the X-Exavault-Signature header value, you'll first need to obtain the Verification Token for your account: 1. Click on the **My Account** option in the left-hand sidebar. 1. Click on the **Developer** tab 1. Copy the Verification Token that appears below the Webhooks Endpoint url field. Every webhook request sent to your endpoint URL will use the same verification token. This token won't change for your account. **2: Concatenate Token and Request** Once you have the verification token, you'll concatenate that token along with the raw string representing the request body that was received. **Do not convert the request body to any other type** of object; if the library you're using automatically converts the request body to an object, look for a method to obtain the raw request body as text. **3: Calculate MD5 Hash** Calculate the md5 hash of that concatenation. The result should match the contents of your X-Exavault-Signature header. ## Webhook Request Examples The following examples demonstrate the structure of webhook requests and how to validate the verification signature for an individual request. All of these examples will use the same verification token; you'll need to use the token for your account to do the same checks on your own webhook requests. **User Connect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 6e13eb14edfd0bd54feff96be131e155 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Connect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **User Disconnect Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | 186e8c73793666c8b5cfa0b55eee691d | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Disconnect\",\"protocol\":\"web\",\"path\":\"\",\"sourcepath\":\"\",\"attempt\":1} ``` **File Upload Example** | Verification Token | X-Exavault-Signature header value | | --- | --- | | efb7e0030e6cef1b45d3d74a67881a2b | e86119ce1b679c7b6010d9ac9a843a36 | ```json {\"accountname\":\"exampleaccount\",\"username\":\"exampleaccount\",\"operation\":\"Upload\",\"protocol\":\"web\",\"path\":\"/7df2beb1c50a8a066493ee47669a4319.jpg\",\"sourcepath\":\"\",\"attempt\":1} ``` ## Webhooks Logs Account administrators can track all of the webhook requests sent for your account within the ExaVault File Manager web interface. To access Webhook logs: 1. Log into the ExaVault File Manager at your account name address. i.e., if your account is exampleaccount.exavault.com, go to https://exampleaccount.exavault.com and log in with your username and password 1. Click on the **Activity** option in the left-hand sidebar 1. Click on **Webhooks Logs** The webhook logs will show each time a webhook request was sent to your endpoint URL. The following information is recorded for each request: - date and time - when the system sent the request - endpoint url - where the webhook request was sent - event - what triggered the webhook - status - HTTP status or curl error code returned by the webhook endpoint - attempt - how many times this request has been sent - response size - size of the response from your webhook endpoint - details - the response body returned from your webhook endpoint * * API version: 2.0 * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)

v0.0.2 • 5 years ago

github.com/ejfhp/gofpdf

v1.16.2 • 6 years ago

github.com/Said6289/gofpdf

v1.17.0 • 4 years ago

github.com/somat/gofpdf

v1.16.2 • 6 years ago

github.com/royge/gofpdf

v1.16.3 • 5 years ago

github.com/mfojtik/cslb

Package cslb provides transparent HTTP/HTTPS Client Side Load Balancing for Go programs. Cslb intercepts "net/http" Dial Requests and re-directs them to a preferred set of target hosts based on the load balancing configuration expressed in DNS SRV and TXT Resource Records (RRs). Only one trivial change is required to client applications to benefit from cslb which is to import this package and (if needed) enabling it for non-default http.Transport instances. Cslb processing is triggered by the presence of SRV RRs. If no SRVs exist cslb is benign which means you can deploy your application with cslb and independently activate and deactivate cslb processing for each service at any time. No server-side changes are required at all - apart for possibly dispensing with your server-side load-balancers! Importing cslb automatically enables interception for http.DefaultTransport. In this program snippet: the Dial Request made by http.Get is intercepted and processed by cslb. If the application uses its own http.Transport then cslb processing needs to be activated by calling the cslb.Enable() function, i.e.: The cslb.Enable() function replaces http.Transport.DialContext with its own intercept function. Server-side load-balancers are no panacea. They add deployment and diagnostic complexity, cost, throughput constraints and become an additional point of possible failure. Cslb can help you achieve good load-balancing and fail-over behaviour without the need for *any* server-side load-balancers. This is particularly useful in enterprise and micro-service deployments as well as smaller application deployments where configuring and managing load-balancers is a significant resource drain. Cslb can be used to load-balance across geographically dispersed targets or where "hot stand-by" systems are purposely deployed on diverse infrastructure. When cslb intercepts a http.Transport Dial Request to port 80 or port 443 it looks up SRV RRs as prescribed by RFC2782. That is, _http._tcp.$domain and _https._tcp.$domain respectively. Cslb directs the Dial Request to the highest preference target based on the SRV algorithm. If that Dial Request fails, it tries the next lower preference target until a successful connection is returned or all unique targets fail or it runs out of time. Cslb caches the SRV RRs (or their non-existence) as well as the result of Dial Requests to the SRV targets to optimize subequent intercepted calls and the selection of preferred targets. If no SRV RRs exist, cslb passes the Dial Request on to net.DialContext. Cslb has specific rules about when interception occurs. It normally only considers intercepting port 80 and port 443 however if the "cslb_allports" environment variable is set, cslb intercepts non-standard HTTP ports and maps them to numeric service names. For example http://example.net:8080 gets mapped to _8080._tcp.example.net as the SRV name to resolve. While cslb runs passively by caching the results of previous Dial Requests, it can also run actively by periodically performing health checks on targets. This is useful as an administrator can control health check behaviour to move a target "in and out of rotation" without changing DNS entries and waiting for TTLs to age out. Health checks are also likely to make the application a little more responsive as they are less likely to make a dial attempt to a target that is not working. Active health checking is enabled by the presence of a TXT RR in the sub-domain "_$port._cslb" of the target. E.g. if the SRV target is "s1.example.net:80" then cslb looks for the TXT RR at "_80._cslb.s1.example.net". If that TXT RR contains a URL then it becomes the health check URL. If no TXT RR exists or the contents do not form a valid URL then no active health check is performed for that target. The health check URL does not have to be related to the target in any particular way. It could be a URL to a central monitoring system which performs complicated application level tests and performance monitoring. Or it could be a URL on the target system itself. A health check is considered successful when a GET of the URL returns a 200 status and the content contains the uppercase text "OK" somewhere in the body (See the "cslb_hc_ok" environment variable for how this can be modified). Unless both those conditions are met the target is considered unavailable. Active health checks cease once a target becomes idle for too long and health check Dial Requests are *not* get intercepted by cslb. If your current service exists on a single server called "s1.example.net" and you want to spread the load across additional servers "s2.example.net" and "s3.example.net" and assuming you've added the "cslb" package to your application then the following DNS changes active cslb processing: Current DNS Additional DNS A number of observations about this DNS setup: Cslb maintains a cache of SRV lookups and the health status of targets. Cache entries automatically age out as a form of garbage collection. Removed cache entries stop any associated active health checks. Unfortunately the cache ageing does not have access to the DNS TTLs associated with the SRV RRs so it makes a best-guess at reasonable time-to-live values. The important point to note is that *all* values get periodically refreshed from the DNS. Nothing persists internally forever regardless of the level of activity. This means you can be sure that any changes to your DNS will be noticed by cslb in due course. Cslb optional runs a web server which presents internal statistics on its performance and activity. This web service has *no* access controls so it's best to only run it on a loopback address. Setting the environment variable "cslb_listen" to a listen address activates the status server. E.g.: On initialization the cslb package examines the "cslb_options" environment variable for single letter options which have the following meaning: An example of how this might by used from a shell: Many internal configuration values can be over-ridden with environment variables as shown in this table: Any values which are invalid or fall outside a reasonable range are ignored. Cslb only knows about the results of network connection attempts made by DialContext and the results of any configured health checks. If a service is accepting network connections but not responding to HTTP requests - or responding negatively - the client experiences failures but cslb will be unaware of these failures. The result is that cslb will continue to direct future Dial Requests to that faulty service in accordance with the SRV priorities. If your service is vulnerable to this scenario, active health checks are recommended. This could be something ss simple as an on-service health check which responds based on recent "200 OK" responses in the service log file. Alternatively an on-service monitor which closes the listen socket will also work. In general, defining a failing service is a complicated matter that only the application truly understands. For this reason health checks are used as an intermediary which does understand application level failures and converts them to simple language which cslb groks. While every service is different there are a few general guidelines which apply to most services when using cslb. First of all, run simple health checks if you can and configure them for use by cslb. Second, have each target configured with both ipv4 and ipv6 addresses. This affords two potentially independent network paths to the targets. Furthermore, net.Dialer attempts both ipv4 and ipv6 connections simultaneously which maximizes responsiveness for the client. Third, consider a "canary" target as a low preference (highest numeric value SRV priority) target. If this "canary" target is accessed by cslb clients it tells you they are having trouble reaching their "real" targets. Being able to run a "canary" service is one of the side-benefits of cslb and SRVs. Whan analyzing the Status Web Page or watching the Run Time Control output, observers need to be aware of caching by the http (and possibly other) packages. For example not every call to http.Get() results in a Dial Request as httpClient tries to re-use connections. In a similar vein if you change a DNS entry and don't believe cslb has noticed this change within an appropriate TTL amount of time, be aware that on some platforms the intervening recursive resolvers adjust TTLs as they see fit. For example some home-gamer routers are known to increase short TTLs to values they believe to be a more "appropriate" in an attempt to reduce their cache churn. Perhaps the biggest caveat of all is that cslb relies on being enabled for all http.Transports in use by your application. If you are importing a package (either directly or indirectly) which constructs its own http.Transports then you'll need to modify that package to call cslb.Enable() otherwise those http requests will not be intercepted. Of course if the package is making requests incidental to the core functionality of your application then maybe it doesn't matter and you can leave them be. Something to be aware of. -----

v0.0.0-20200815222256-af3cb607f4f0 • 5 years ago

github.com/gertjanwytynck/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. However, support is provided to translate UTF-8 runes to code page encodings. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory. The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Additionally, he augmented the basic HTML functionality with aligned text. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retreived with the output call where it can be handled by the application.

v0.0.0-20151203132858-f05b029bee27 • 10 years ago

github.com/gitdlam/gofpdf

v1.16.2 • 6 years ago

github.com/Clarilab/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. - UTF-8 support - Choice of measurement unit, page format and margins - Page header and footer management - Automatic page breaks, line breaks, and text justification - Inclusion of JPEG, PNG, GIF, TIFF and basic path-only SVG images - Colors, gradients and alpha channel transparency - Outline bookmarks - Internal and external links - TrueType, Type1 and encoding support - Page compression - Lines, Bézier curves, arcs, and ellipses - Rotation, scaling, skewing, translation, and mirroring - Clipping - Document protection - Layers - Templates - Barcodes - Charting facility - Import PDFs as templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. gofpdf supports UTF-8 TrueType fonts and “right-to-left” languages. Note that Chinese, Japanese, and Korean characters may not be included in many general purpose fonts. For these languages, a specialized font (for example, NotoSansSC for simplified Chinese) can be used. Also, support is provided to automatically translate UTF-8 runes to code page encodings for languages that have fewer than 256 glyphs. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running go test ./... is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you’ll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory and if the third argument to ComparePDFFiles() in internal/example/example.go is true. (By default it is false.) The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). You should use AddUTF8Font() or AddUTF8FontFromBytes() to add a TrueType UTF-8 encoded font. Use RTL() and LTR() methods switch between “right-to-left” and “left-to-right” mode. In order to use a different non-UTF-8 TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run “go build”. This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include Google Fonts and DejaVu Fonts. The draw2d package is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the contrib directory. Here are guidelines for making submissions. Your change should - be compatible with the MIT License - be properly documented - be formatted with go fmt - include an example in fpdf_test.go if appropriate - conform to the standards of golint and go vet, that is, golint . and go vet . should not generate any warnings - not diminish test coverage Pull requests are the preferred means of accepting your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package’s code and documentation are closely derived from the FPDF library created by Olivier Plathey, and a number of font and image resources are copied directly from it. Bruno Michel has provided valuable assistance with the code. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image’s extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Jelmer Snoek and Guillermo Pascual augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Paulo Coutinho provided support for static embedded fonts. Dan Meyers added support for embedded JavaScript. David Fish added a generic alias-replacement function to enable, among other things, table of contents functionality. Andy Bakun identified and corrected a problem in which the internal catalogs were not sorted stably. Paul Montag added encoding and decoding functionality for templates, including images that are embedded in templates; this allows templates to be stored independently of gofpdf. Paul also added support for page boxes used in printing PDF documents. Wojciech Matusiak added supported for word spacing. Artem Korotkiy added support of UTF-8 fonts. Dave Barnes added support for imported objects and templates. Brigham Thompson added support for rounded rectangles. Joe Westcott added underline functionality and optimized image storage. Benoit KUGLER contributed support for rectangles with corners of unequal radius, modification times, and for file attachments and annotations. - Remove all legacy code page font support; use UTF-8 exclusively - Improve test coverage as reported by the coverage tool. Example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retrieved with the output call where it can be handled by the application.

v1.5.4 • last year

github.com/0xazure/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. However, support is provided to translate UTF-8 runes to code page encodings. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory. The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Additionally, he augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retreived with the output call where it can be handled by the application.

v0.0.0-20160309190112-bcfb7a87cbd1 • 9 years ago

github.com/markdingo/cslb

v1.1.0 • 2 years ago

github.com/pjtatlow/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF, TIFF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates • Barcodes gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. In particular, languages that require more than one code page such as Chinese, Japanese, and Arabic are not currently supported. This is explained in issue 109. However, support is provided to automatically translate UTF-8 runes to code page encodings for languages that have fewer than 256 glyphs. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory and if the third argument to ComparePDFFiles() in internal/example/example.go is true. (By default it is false.) The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Bruno Michel has provided valuable assistance with the code. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Jelmer Snoek and Guillermo Pascual augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Paulo Coutinho provided support for static embedded fonts. Dan Meyers added support for embedded JavaScript. David Fish added a generic alias-replacement function to enable, among other things, table of contents functionality. Andy Bakun identified and corrected a problem in which the internal catalogs were not sorted stably. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retrieved with the output call where it can be handled by the application.

v1.0.0 • 8 years ago

github.com/rubenhazelaar/gofpdf

v1.16.2 • 6 years ago

github.com/mkasner/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. However, support is provided to translate UTF-8 runes to code page encodings. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename and summary. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. Contributions that do not directly pertain to the core functionality of gofpdf should be placed in their own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retreived with the output call where it can be handled by the application.

v0.0.0-20150902200309-1d098a6b577f • 10 years ago

github.com/d0ngw/gofpdf

v1.16.4 • 5 years ago

github.com/benchiboy/gofpdf

v1.16.2 • 6 years ago

github.com/tianlin/ora

Package ora implements an Oracle database driver. ### Golang Oracle Database Driver ### #### TL;DR; just use it #### Call stored procedure with OUT parameters: An Oracle database may be accessed through the database/sql(http://golang.org/pkg/database/sql) package or through the ora package directly. database/sql offers connection pooling, thread safety, a consistent API to multiple database technologies and a common set of Go types. The ora package offers additional features including pointers, slices, nullable types, numerics of various sizes, Oracle-specific types, Go return type configuration, and Oracle abstractions such as environment, server and session. The ora package is written with the Oracle Call Interface (OCI) C-language libraries provided by Oracle. The OCI libraries are a standard for client application communication and driver communication with Oracle databases. The ora package has been verified to work with: * Oracle Standard 11g (11.2.0.4.0), Linux x86_64 (RHEL6) * Oracle Enterprise 12c (12.1.0.1.0), Windows 8.1 and AMD64. --- * [Installation](https://github.com/rana/ora#installation) * [Data Types](https://github.com/rana/ora#data-types) * [SQL Placeholder Syntax](https://github.com/rana/ora#sql-placeholder-syntax) * [Working With The Sql Package](https://github.com/rana/ora#working-with-the-sql-package) * [Working With The Oracle Package Directly](https://github.com/rana/ora#working-with-the-oracle-package-directly) * [Logging](https://github.com/rana/ora#logging) * [Test Database Setup](https://github.com/rana/ora#test-database-setup) * [Limitations](https://github.com/rana/ora#limitations) * [License](https://github.com/rana/ora#license) * [API Reference](http://godoc.org/github.com/rana/ora#pkg-index) * [Examples](./examples) --- Minimum requirements are Go 1.3 with CGO enabled, a GCC C compiler, and Oracle 11g (11.2.0.4.0) or Oracle Instant Client (11.2.0.4.0). Install Oracle or Oracle Instant Client. Copy the [oci8.pc](contrib/oci8.pc) from the `contrib` folder (or the one for your system, maybe tailored to your specific locations) to a folder in `$PKG_CONFIG_PATH` or a system folder, such as The ora package has no external Go dependencies and is available on GitHub and gopkg.in: The ora package supports all built-in Oracle data types. The supported Oracle built-in data types are NUMBER, BINARY_DOUBLE, BINARY_FLOAT, FLOAT, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, TIMESTAMP WITH LOCAL TIME ZONE, INTERVAL YEAR TO MONTH, INTERVAL DAY TO SECOND, CHAR, NCHAR, VARCHAR, VARCHAR2, NVARCHAR2, LONG, CLOB, NCLOB, BLOB, LONG RAW, RAW, ROWID and BFILE. SYS_REFCURSOR is also supported. Oracle does not provide a built-in boolean type. Oracle provides a single-byte character type. A common practice is to define two single-byte characters which represent true and false. The ora package adopts this approach. The oracle package associates a Go bool value to a Go rune and sends and receives the rune to a CHAR(1 BYTE) column or CHAR(1 CHAR) column. The default false rune is zero '0'. The default true rune is one '1'. The bool rune association may be configured or disabled when directly using the ora package but not with the database/sql package. Within a SQL string a placeholder may be specified to indicate where a Go variable is placed. The SQL placeholder is an Oracle identifier, from 1 to 30 characters, prefixed with a colon (:). For example: Placeholders within a SQL statement are bound by position. The actual name is not used by the ora package driver e.g., placeholder names :c1, :1, or :xyz are treated equally. The `database/sql` package provides a LastInsertId method to return the last inserted row's id. Oracle does not provide such functionality, but if you append `... RETURNING col /*LastInsertId*/` to your SQL, then it will be presented as LastInsertId. Note that you have to mark with a `/*LastInsertId*/` (case insensitive) your `RETURNING` part, to allow ora to return the last column as `LastInsertId()`. That column must fit in `int64`, though! You may access an Oracle database through the database/sql package. The database/sql package offers a consistent API across different databases, connection pooling, thread safety and a set of common Go types. database/sql makes working with Oracle straight-forward. The ora package implements interfaces in the database/sql/driver package enabling database/sql to communicate with an Oracle database. Using database/sql ensures you never have to call the ora package directly. When using database/sql, the mapping between Go types and Oracle types may be changed slightly. The database/sql package has strict expectations on Go return types. The Go-to-Oracle type mapping for database/sql is: The "ora" driver is automatically registered for use with sql.Open, but you can call ora.SetCfg to set the used configuration options including statement configuration and Rset configuration. When configuring the driver for use with database/sql, keep in mind that database/sql has strict Go type-to-Oracle type mapping expectations. The ora package allows programming with pointers, slices, nullable types, numerics of various sizes, Oracle-specific types, Go return type configuration, and Oracle abstractions such as environment, server and session. When working with the ora package directly, the API is slightly different than database/sql. When using the ora package directly, the mapping between Go types and Oracle types may be changed. The Go-to-Oracle type mapping for the ora package is: An example of using the ora package directly: Pointers may be used to capture out-bound values from a SQL statement such as an insert or stored procedure call. For example, a numeric pointer captures an identity value: A string pointer captures an out parameter from a stored procedure: Slices may be used to insert multiple records with a single insert statement: The ora package provides nullable Go types to support DML operations such as insert and select. The nullable Go types provided by the ora package are Int64, Int32, Int16, Int8, Uint64, Uint32, Uint16, Uint8, Float64, Float32, Time, IntervalYM, IntervalDS, String, Bool, Binary and Bfile. For example, you may insert nullable Strings and select nullable Strings: The `Stmt.Prep` method is variadic accepting zero or more `GoColumnType` which define a Go return type for a select-list column. For example, a Prep call can be configured to return an int64 and a nullable Int64 from the same column: Go numerics of various sizes are supported in DML operations. The ora package supports int64, int32, int16, int8, uint64, uint32, uint16, uint8, float64 and float32. For example, you may insert a uint16 and select numerics of various sizes: If a non-nullable type is defined for a nullable column returning null, the Go type's zero value is returned. GoColumnTypes defined by the ora package are: When Stmt.Prep doesn't receive a GoColumnType, or receives an incorrect GoColumnType, the default value defined in RsetCfg is used. EnvCfg, SrvCfg, SesCfg, StmtCfg and RsetCfg are the main configuration structs. EnvCfg configures aspects of an Env. SrvCfg configures aspects of a Srv. SesCfg configures aspects of a Ses. StmtCfg configures aspects of a Stmt. RsetCfg configures aspects of Rset. StmtCfg and RsetCfg have the most options to configure. RsetCfg defines the default mapping between an Oracle select-list column and a Go type. StmtCfg may be set in an EnvCfg, SrvCfg, SesCfg and StmtCfg. RsetCfg may be set in a Stmt. EnvCfg.StmtCfg, SrvCfg.StmtCfg, SesCfg.StmtCfg may optionally be specified to configure a statement. If StmtCfg isn't specified default values are applied. EnvCfg.StmtCfg, SrvCfg.StmtCfg, SesCfg.StmtCfg cascade to new descendent structs. When ora.OpenEnv() is called a specified EnvCfg is used or a default EnvCfg is created. Creating a Srv with env.OpenSrv() will use SrvCfg.StmtCfg if it is specified; otherwise, EnvCfg.StmtCfg is copied by value to SrvCfg.StmtCfg. Creating a Ses with srv.OpenSes() will use SesCfg.StmtCfg if it is specified; otherwise, SrvCfg.StmtCfg is copied by value to SesCfg.StmtCfg. Creating a Stmt with ses.Prep() will use SesCfg.StmtCfg if it is specified; otherwise, a new StmtCfg with default values is set on the Stmt. Call Stmt.Cfg() to change a Stmt's configuration. An Env may contain multiple Srv. A Srv may contain multiple Ses. A Ses may contain multiple Stmt. A Stmt may contain multiple Rset. Setting a RsetCfg on a StmtCfg does not cascade through descendent structs. Configuration of Stmt.Cfg takes effect prior to calls to Stmt.Exe and Stmt.Qry; consequently, any updates to Stmt.Cfg after a call to Stmt.Exe or Stmt.Qry are not observed. One configuration scenario may be to set a server's select statements to return nullable Go types by default: Another scenario may be to configure the runes mapped to bool values: Oracle-specific types offered by the ora package are ora.Rset, ora.IntervalYM, ora.IntervalDS, ora.Raw, ora.Lob and ora.Bfile. ora.Rset represents an Oracle SYS_REFCURSOR. ora.IntervalYM represents an Oracle INTERVAL YEAR TO MONTH. ora.IntervalDS represents an Oracle INTERVAL DAY TO SECOND. ora.Raw represents an Oracle RAW or LONG RAW. ora.Lob may represent an Oracle BLOB or Oracle CLOB. And ora.Bfile represents an Oracle BFILE. ROWID columns are returned as strings and don't have a unique Go type. #### LOBs The default for SELECTing [BC]LOB columns is a safe Bin or S, which means all the contents of the LOB is slurped into memory and returned as a []byte or string. If you want more control, you can use ora.L in Prep, Qry or `ses.SetCfg(ses.Cfg().SetBlob(ora.L))`. But keep in mind that Oracle restricts the use of LOBs: it is forbidden to do ANYTHING while reading the LOB! No another query, no exec, no close of the Rset - even *advance* to the next record in the result set is forbidden! Failing to adhere these rules results in "Invalid handle" and ORA-03127 errors. You cannot start reading another LOB till you haven't finished reading the previous LOB, not even in the same row! Failing this results in ORA-24804! For examples, see [z_lob_test.go](z_lob_test.go). #### Rset Rset is used to obtain Go values from a SQL select statement. Methods Rset.Next, Rset.NextRow, and Rset.Len are available. Fields Rset.Row, Rset.Err, Rset.Index, and Rset.ColumnNames are also available. The Next method attempts to load data from an Oracle buffer into Row, returning true when successful. When no data is available, or if an error occurs, Next returns false setting Row to nil. Any error in Next is assigned to Err. Calling Next increments Index and method Len returns the total number of rows processed. The NextRow method is convenient for returning a single row. NextRow calls Next and returns Row. ColumnNames returns the names of columns defined by the SQL select statement. Rset has two usages. Rset may be returned from Stmt.Qry when prepared with a SQL select statement: Or, *Rset may be passed to Stmt.Exe when prepared with a stored procedure accepting an OUT SYS_REFCURSOR parameter: Stored procedures with multiple OUT SYS_REFCURSOR parameters enable a single Exe call to obtain multiple Rsets: The types of values assigned to Row may be configured in StmtCfg.Rset. For configuration to take effect, assign StmtCfg.Rset prior to calling Stmt.Qry or Stmt.Exe. Rset prefetching may be controlled by StmtCfg.PrefetchRowCount and StmtCfg.PrefetchMemorySize. PrefetchRowCount works in coordination with PrefetchMemorySize. When PrefetchRowCount is set to zero only PrefetchMemorySize is used; otherwise, the minimum of PrefetchRowCount and PrefetchMemorySize is used. The default uses a PrefetchMemorySize of 134MB. Opening and closing Rsets is managed internally. Rset does not have an Open method or Close method. IntervalYM may be be inserted and selected: IntervalDS may be be inserted and selected: Transactions on an Oracle server are supported. DML statements auto-commit unless a transaction has started: Ses.PrepAndExe, Ses.PrepAndQry, Ses.Ins, Ses.Upd, and Ses.Sel are convenient one-line methods. Ses.PrepAndExe offers a convenient one-line call to Ses.Prep and Stmt.Exe. Ses.PrepAndQry offers a convenient one-line call to Ses.Prep and Stmt.Qry. Ses.Ins composes, prepares and executes a sql INSERT statement. Ses.Ins is useful when you have to create and maintain a simple INSERT statement with a long list of columns. As table columns are added and dropped over the lifetime of a table Ses.Ins is easy to read and revise. Ses.Upd composes, prepares and executes a sql UPDATE statement. Ses.Upd is useful when you have to create and maintain a simple UPDATE statement with a long list of columns. As table columns are added and dropped over the lifetime of a table Ses.Upd is easy to read and revise. Ses.Sel composes, prepares and queries a sql SELECT statement. Ses.Sel is useful when you have to create and maintain a simple SELECT statement with a long list of columns that have non-default GoColumnTypes. As table columns are added and dropped over the lifetime of a table Ses.Sel is easy to read and revise. The Ses.Ping method checks whether the client's connection to an Oracle server is valid. A call to Ping requires an open Ses. Ping will return a nil error when the connection is fine: The Srv.Version method is available to obtain the Oracle server version. A call to Version requires an open Ses: Further code examples are available in the [example file](https://github.com/rana/ora/blob/master/z_example_test.go), test files and [samples folder](https://github.com/rana/ora/tree/master/samples). The ora package provides a simple ora.Logger interface for logging. Logging is disabled by default. Specify one of three optional built-in logging packages to enable logging; or, use your own logging package. ora.Cfg().Log offers various options to enable or disable logging of specific ora driver methods. For example: To use the standard Go log package: which produces a sample log of: Messages are prefixed with 'ORA I' for information or 'ORA E' for an error. The log package is configured to write to os.Stderr by default. Use the ora/lg.Std type to configure an alternative io.Writer. To use the glog package: which produces a sample log of: To use the log15 package: which produces a sample log of: See https://github.com/rana/ora/tree/master/samples/lg15/main.go for sample code which uses the log15 package. Tests are available and require some setup. Setup varies depending on whether the Oracle server is configured as a container database or non-container database. It's simpler to setup a non-container database. An example for each setup is explained. Non-container test database setup steps: Container test database setup steps: Some helpful SQL maintenance statements: Run the tests. database/sql method Stmt.QueryRow is not supported. Go 1.6 introduced stricter cgo (call C from Go) rules, and introduced runtime checks. This is good, as the possibility of C code corrupting Go code is almost completely eliminated, but it also means a severe call overhead grow. [Sometimes](https://groups.google.com/forum/#!topic/golang-nuts/ccMkPG6Bi5k) this can be 22x the go 1.5.3 call time! So if you need performance more than correctness, start your programs with "GODEBUG=cgocheck=0" environment setting. Copyright 2017 Rana Ian, Tamás Gulácsi. All rights reserved. Use of this source code is governed by The MIT License found in the accompanying LICENSE file.

v4.1.9+incompatible • 8 years ago

github.com/freeman983/ora

Package ora implements an Oracle database driver. ### Golang Oracle Database Driver ### #### TL;DR; just use it #### Call stored procedure with OUT parameters: An Oracle database may be accessed through the database/sql(http://golang.org/pkg/database/sql) package or through the ora package directly. database/sql offers connection pooling, thread safety, a consistent API to multiple database technologies and a common set of Go types. The ora package offers additional features including pointers, slices, nullable types, numerics of various sizes, Oracle-specific types, Go return type configuration, and Oracle abstractions such as environment, server and session. The ora package is written with the Oracle Call Interface (OCI) C-language libraries provided by Oracle. The OCI libraries are a standard for client application communication and driver communication with Oracle databases. The ora package has been verified to work with: * Oracle Standard 11g (11.2.0.4.0), Linux x86_64 (RHEL6) * Oracle Enterprise 12c (12.1.0.1.0), Windows 8.1 and AMD64. --- * [Installation](https://github.com/rana/ora#installation) * [Data Types](https://github.com/rana/ora#data-types) * [SQL Placeholder Syntax](https://github.com/rana/ora#sql-placeholder-syntax) * [Working With The Sql Package](https://github.com/rana/ora#working-with-the-sql-package) * [Working With The Oracle Package Directly](https://github.com/rana/ora#working-with-the-oracle-package-directly) * [Logging](https://github.com/rana/ora#logging) * [Test Database Setup](https://github.com/rana/ora#test-database-setup) * [Limitations](https://github.com/rana/ora#limitations) * [License](https://github.com/rana/ora#license) * [API Reference](http://godoc.org/github.com/rana/ora#pkg-index) * [Examples](./examples) --- Minimum requirements are Go 1.3 with CGO enabled, a GCC C compiler, and Oracle 11g (11.2.0.4.0) or Oracle Instant Client (11.2.0.4.0). Install Oracle or Oracle Instant Client. Copy the [oci8.pc](contrib/oci8.pc) from the `contrib` folder (or the one for your system, maybe tailored to your specific locations) to a folder in `$PKG_CONFIG_PATH` or a system folder, such as The ora package has no external Go dependencies and is available on GitHub and gopkg.in: *WARNING*: If you have Oracle Instant Client 11.2, you'll need to add "=lnnz11" to the list of linked libs! Otherwise, you may encounter "undefined reference to `nzosSCSP_SetCertSelectionParams' " errors. Oracle Instant Client 12.1 does not need this. The ora package supports all built-in Oracle data types. The supported Oracle built-in data types are NUMBER, BINARY_DOUBLE, BINARY_FLOAT, FLOAT, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, TIMESTAMP WITH LOCAL TIME ZONE, INTERVAL YEAR TO MONTH, INTERVAL DAY TO SECOND, CHAR, NCHAR, VARCHAR, VARCHAR2, NVARCHAR2, LONG, CLOB, NCLOB, BLOB, LONG RAW, RAW, ROWID and BFILE. SYS_REFCURSOR is also supported. Oracle does not provide a built-in boolean type. Oracle provides a single-byte character type. A common practice is to define two single-byte characters which represent true and false. The ora package adopts this approach. The oracle package associates a Go bool value to a Go rune and sends and receives the rune to a CHAR(1 BYTE) column or CHAR(1 CHAR) column. The default false rune is zero '0'. The default true rune is one '1'. The bool rune association may be configured or disabled when directly using the ora package but not with the database/sql package. Within a SQL string a placeholder may be specified to indicate where a Go variable is placed. The SQL placeholder is an Oracle identifier, from 1 to 30 characters, prefixed with a colon (:). For example: Placeholders within a SQL statement are bound by position. The actual name is not used by the ora package driver e.g., placeholder names :c1, :1, or :xyz are treated equally. The `database/sql` package provides a LastInsertId method to return the last inserted row's id. Oracle does not provide such functionality, but if you append `... RETURNING col /*LastInsertId*/` to your SQL, then it will be presented as LastInsertId. Note that you have to mark with a `/*LastInsertId*/` (case insensitive) your `RETURNING` part, to allow ora to return the last column as `LastInsertId()`. That column must fit in `int64`, though! You may access an Oracle database through the database/sql package. The database/sql package offers a consistent API across different databases, connection pooling, thread safety and a set of common Go types. database/sql makes working with Oracle straight-forward. The ora package implements interfaces in the database/sql/driver package enabling database/sql to communicate with an Oracle database. Using database/sql ensures you never have to call the ora package directly. When using database/sql, the mapping between Go types and Oracle types may be changed slightly. The database/sql package has strict expectations on Go return types. The Go-to-Oracle type mapping for database/sql is: The "ora" driver is automatically registered for use with sql.Open, but you can call ora.SetCfg to set the used configuration options including statement configuration and Rset configuration. When configuring the driver for use with database/sql, keep in mind that database/sql has strict Go type-to-Oracle type mapping expectations. The ora package allows programming with pointers, slices, nullable types, numerics of various sizes, Oracle-specific types, Go return type configuration, and Oracle abstractions such as environment, server and session. When working with the ora package directly, the API is slightly different than database/sql. When using the ora package directly, the mapping between Go types and Oracle types may be changed. The Go-to-Oracle type mapping for the ora package is: An example of using the ora package directly: Pointers may be used to capture out-bound values from a SQL statement such as an insert or stored procedure call. For example, a numeric pointer captures an identity value: A string pointer captures an out parameter from a stored procedure: Slices may be used to insert multiple records with a single insert statement: The ora package provides nullable Go types to support DML operations such as insert and select. The nullable Go types provided by the ora package are Int64, Int32, Int16, Int8, Uint64, Uint32, Uint16, Uint8, Float64, Float32, Time, IntervalYM, IntervalDS, String, Bool, Binary and Bfile. For example, you may insert nullable Strings and select nullable Strings: The `Stmt.Prep` method is variadic accepting zero or more `GoColumnType` which define a Go return type for a select-list column. For example, a Prep call can be configured to return an int64 and a nullable Int64 from the same column: Go numerics of various sizes are supported in DML operations. The ora package supports int64, int32, int16, int8, uint64, uint32, uint16, uint8, float64 and float32. For example, you may insert a uint16 and select numerics of various sizes: If a non-nullable type is defined for a nullable column returning null, the Go type's zero value is returned. GoColumnTypes defined by the ora package are: When Stmt.Prep doesn't receive a GoColumnType, or receives an incorrect GoColumnType, the default value defined in RsetCfg is used. EnvCfg, SrvCfg, SesCfg, StmtCfg and RsetCfg are the main configuration structs. EnvCfg configures aspects of an Env. SrvCfg configures aspects of a Srv. SesCfg configures aspects of a Ses. StmtCfg configures aspects of a Stmt. RsetCfg configures aspects of Rset. StmtCfg and RsetCfg have the most options to configure. RsetCfg defines the default mapping between an Oracle select-list column and a Go type. StmtCfg may be set in an EnvCfg, SrvCfg, SesCfg and StmtCfg. RsetCfg may be set in a Stmt. EnvCfg.StmtCfg, SrvCfg.StmtCfg, SesCfg.StmtCfg may optionally be specified to configure a statement. If StmtCfg isn't specified default values are applied. EnvCfg.StmtCfg, SrvCfg.StmtCfg, SesCfg.StmtCfg cascade to new descendent structs. When ora.OpenEnv() is called a specified EnvCfg is used or a default EnvCfg is created. Creating a Srv with env.OpenSrv() will use SrvCfg.StmtCfg if it is specified; otherwise, EnvCfg.StmtCfg is copied by value to SrvCfg.StmtCfg. Creating a Ses with srv.OpenSes() will use SesCfg.StmtCfg if it is specified; otherwise, SrvCfg.StmtCfg is copied by value to SesCfg.StmtCfg. Creating a Stmt with ses.Prep() will use SesCfg.StmtCfg if it is specified; otherwise, a new StmtCfg with default values is set on the Stmt. Call Stmt.Cfg() to change a Stmt's configuration. An Env may contain multiple Srv. A Srv may contain multiple Ses. A Ses may contain multiple Stmt. A Stmt may contain multiple Rset. Setting a RsetCfg on a StmtCfg does not cascade through descendent structs. Configuration of Stmt.Cfg takes effect prior to calls to Stmt.Exe and Stmt.Qry; consequently, any updates to Stmt.Cfg after a call to Stmt.Exe or Stmt.Qry are not observed. One configuration scenario may be to set a server's select statements to return nullable Go types by default: Another scenario may be to configure the runes mapped to bool values: Oracle-specific types offered by the ora package are ora.Rset, ora.IntervalYM, ora.IntervalDS, ora.Raw, ora.Lob and ora.Bfile. ora.Rset represents an Oracle SYS_REFCURSOR. ora.IntervalYM represents an Oracle INTERVAL YEAR TO MONTH. ora.IntervalDS represents an Oracle INTERVAL DAY TO SECOND. ora.Raw represents an Oracle RAW or LONG RAW. ora.Lob may represent an Oracle BLOB or Oracle CLOB. And ora.Bfile represents an Oracle BFILE. ROWID columns are returned as strings and don't have a unique Go type. #### LOBs The default for SELECTing [BC]LOB columns is a safe Bin or S, which means all the contents of the LOB is slurped into memory and returned as a []byte or string. The DefaultLOBFetchLen says LOBs are prefetched only a minimal way, to minimize extra memory usage - you can override this using `stmt.SetCfg(stmt.Cfg().SetLOBFetchLen(100))`. If you want more control, you can use ora.L in Prep, Qry or `ses.SetCfg(ses.Cfg().SetBlob(ora.L))`. But keep in mind that Oracle restricts the use of LOBs: it is forbidden to do ANYTHING while reading the LOB! No another query, no exec, no close of the Rset - even *advance* to the next record in the result set is forbidden! Failing to adhere these rules results in "Invalid handle" and ORA-03127 errors. You cannot start reading another LOB till you haven't finished reading the previous LOB, not even in the same row! Failing this results in ORA-24804! For examples, see [z_lob_test.go](z_lob_test.go). #### Rset Rset is used to obtain Go values from a SQL select statement. Methods Rset.Next, Rset.NextRow, and Rset.Len are available. Fields Rset.Row, Rset.Err, Rset.Index, and Rset.ColumnNames are also available. The Next method attempts to load data from an Oracle buffer into Row, returning true when successful. When no data is available, or if an error occurs, Next returns false setting Row to nil. Any error in Next is assigned to Err. Calling Next increments Index and method Len returns the total number of rows processed. The NextRow method is convenient for returning a single row. NextRow calls Next and returns Row. ColumnNames returns the names of columns defined by the SQL select statement. Rset has two usages. Rset may be returned from Stmt.Qry when prepared with a SQL select statement: Or, *Rset may be passed to Stmt.Exe when prepared with a stored procedure accepting an OUT SYS_REFCURSOR parameter: Stored procedures with multiple OUT SYS_REFCURSOR parameters enable a single Exe call to obtain multiple Rsets: The types of values assigned to Row may be configured in StmtCfg.Rset. For configuration to take effect, assign StmtCfg.Rset prior to calling Stmt.Qry or Stmt.Exe. Rset prefetching may be controlled by StmtCfg.PrefetchRowCount and StmtCfg.PrefetchMemorySize. PrefetchRowCount works in coordination with PrefetchMemorySize. When PrefetchRowCount is set to zero only PrefetchMemorySize is used; otherwise, the minimum of PrefetchRowCount and PrefetchMemorySize is used. The default uses a PrefetchMemorySize of 134MB. Opening and closing Rsets is managed internally. Rset does not have an Open method or Close method. IntervalYM may be be inserted and selected: IntervalDS may be be inserted and selected: Transactions on an Oracle server are supported. DML statements auto-commit unless a transaction has started: Ses.PrepAndExe, Ses.PrepAndQry, Ses.Ins, Ses.Upd, and Ses.Sel are convenient one-line methods. Ses.PrepAndExe offers a convenient one-line call to Ses.Prep and Stmt.Exe. Ses.PrepAndQry offers a convenient one-line call to Ses.Prep and Stmt.Qry. Ses.Ins composes, prepares and executes a sql INSERT statement. Ses.Ins is useful when you have to create and maintain a simple INSERT statement with a long list of columns. As table columns are added and dropped over the lifetime of a table Ses.Ins is easy to read and revise. Ses.Upd composes, prepares and executes a sql UPDATE statement. Ses.Upd is useful when you have to create and maintain a simple UPDATE statement with a long list of columns. As table columns are added and dropped over the lifetime of a table Ses.Upd is easy to read and revise. Ses.Sel composes, prepares and queries a sql SELECT statement. Ses.Sel is useful when you have to create and maintain a simple SELECT statement with a long list of columns that have non-default GoColumnTypes. As table columns are added and dropped over the lifetime of a table Ses.Sel is easy to read and revise. The Ses.Ping method checks whether the client's connection to an Oracle server is valid. A call to Ping requires an open Ses. Ping will return a nil error when the connection is fine: The Srv.Version method is available to obtain the Oracle server version. A call to Version requires an open Ses: Further code examples are available in the [example file](https://github.com/rana/ora/blob/master/z_example_test.go), test files and [samples folder](https://github.com/rana/ora/tree/master/samples). The ora package provides a simple ora.Logger interface for logging. Logging is disabled by default. Specify one of three optional built-in logging packages to enable logging; or, use your own logging package. ora.Cfg().Log offers various options to enable or disable logging of specific ora driver methods. For example: To use the standard Go log package: which produces a sample log of: Messages are prefixed with 'ORA I' for information or 'ORA E' for an error. The log package is configured to write to os.Stderr by default. Use the ora/lg.Std type to configure an alternative io.Writer. To use the glog package: which produces a sample log of: To use the log15 package: which produces a sample log of: See https://github.com/rana/ora/tree/master/samples/lg15/main.go for sample code which uses the log15 package. Tests are available and require some setup. Setup varies depending on whether the Oracle server is configured as a container database or non-container database. It's simpler to setup a non-container database. An example for each setup is explained. Non-container test database setup steps: Container test database setup steps: Some helpful SQL maintenance statements: Run the tests. database/sql method Stmt.QueryRow is not supported. Go 1.6 introduced stricter cgo (call C from Go) rules, and introduced runtime checks. This is good, as the possibility of C code corrupting Go code is almost completely eliminated, but it also means a severe call overhead grow. [Sometimes](https://groups.google.com/forum/#!topic/golang-nuts/ccMkPG6Bi5k) this can be 22x the go 1.5.3 call time! So if you need performance more than correctness, start your programs with "GODEBUG=cgocheck=0" environment setting. Copyright 2017 Rana Ian, Tamás Gulácsi. All rights reserved. Use of this source code is governed by The MIT License found in the accompanying LICENSE file.

v4.1.15+incompatible • 8 years ago

github.com/torlangballe/gofpdf

v1.16.2 • 6 years ago

github.com/DesignersAxis/gofpdf

v1.17.1 • 5 years ago

github.com/marcelmiguel/gofpdf

v1.16.4 • 4 months ago

github.com/xigh/gofpdf

v1.16.2 • 6 years ago

github.com/chris-skud/gofpdf

v1.16.2 • 6 years ago

github.com/aksdb/caddy-cgi

Package cgi implements the common gateway interface (CGI) for Caddy 2, a modern, full-featured, easy-to-use web server. It has been forked from the fantastic work of Kurt Jung who wrote that plugin for Caddy 1. This plugin lets you generate dynamic content on your website by means of command line scripts. To collect information about the inbound HTTP request, your script examines certain environment variables such as PATH_INFO and QUERY_STRING. Then, to return a dynamically generated web page to the client, your script simply writes content to standard output. In the case of POST requests, your script reads additional inbound content from standard input. The advantage of CGI is that you do not need to fuss with server startup and persistence, long term memory management, sockets, and crash recovery. Your script is called when a request matches one of the patterns that you specify in your Caddyfile. As soon as your script completes its response, it terminates. This simplicity makes CGI a perfect complement to the straightforward operation and configuration of Caddy. The benefits of Caddy, including HTTPS by default, basic access authentication, and lots of middleware options extend easily to your CGI scripts. CGI has some disadvantages. For one, Caddy needs to start a new process for each request. This can adversely impact performance and, if resources are shared between CGI applications, may require the use of some interprocess synchronization mechanism such as a file lock. Your server’s responsiveness could in some circumstances be affected, such as when your web server is hit with very high demand, when your script’s dependencies require a long startup, or when concurrently running scripts take a long time to respond. However, in many cases, such as using a pre-compiled CGI application like fossil or a Lua script, the impact will generally be insignificant. Another restriction of CGI is that scripts will be run with the same permissions as Caddy itself. This can sometimes be less than ideal, for example when your script needs to read or write files associated with a different owner. Serving dynamic content exposes your server to more potential threats than serving static pages. There are a number of considerations of which you should be aware when using CGI applications. CGI scripts should be located outside of Caddy’s document root. Otherwise, an inadvertent misconfiguration could result in Caddy delivering the script as an ordinary static resource. At best, this could merely confuse the site visitor. At worst, it could expose sensitive internal information that should not leave the server. Mistrust the contents of PATH_INFO, QUERY_STRING and standard input. Most of the environment variables available to your CGI program are inherently safe because they originate with Caddy and cannot be modified by external users. This is not the case with PATH_INFO, QUERY_STRING and, in the case of POST actions, the contents of standard input. Be sure to validate and sanitize all inbound content. If you use a CGI library or framework to process your scripts, make sure you understand its limitations. An error in a CGI application is generally handled within the application itself and reported in the headers it returns. Your CGI application can be executed directly or indirectly. In the direct case, the application can be a compiled native executable or it can be a shell script that contains as its first line a shebang that identifies the interpreter to which the file’s name should be passed. Caddy must have permission to execute the application. On Posix systems this will mean making sure the application’s ownership and permission bits are set appropriately; on Windows, this may involve properly setting up the filename extension association. In the indirect case, the name of the CGI script is passed to an interpreter such as lua, perl or python. - This module needs to be installed (obviously). - The directive needs to be registered in the Caddyfile: The basic cgi directive lets you add a handler in the current caddy router location with a given script and optional arguments. The matcher is a default caddy matcher that is used to restrict the scope of this directive. The directive can be repeated any reasonable number of times. Here is the basic syntax: For example: When a request such as https://example.com/report or https://example.com/report/weekly arrives, the cgi middleware will detect the match and invoke the script named /usr/local/cgi-bin/report. The current working directory will be the same as Caddy itself. Here, it is assumed that the script is self-contained, for example a pre-compiled CGI application or a shell script. Here is an example of a standalone script, similar to one used in the cgi plugin’s test suite: The environment variables PATH_INFO and QUERY_STRING are populated and passed to the script automatically. There are a number of other standard CGI variables included that are described below. If you need to pass any special environment variables or allow any environment variables that are part of Caddy’s process to pass to your script, you will need to use the advanced directive syntax described below. Beware that in Caddy v2 it is (currently) not possible to separate the path left of the matcher from the full URL. Therefore if you require your CGI program to know the SCRIPT_NAME, make sure to pass that explicitly: In order to specify custom environment variables, pass along one or more environment variables known to Caddy, or specify more than one match pattern for a given rule, you will need to use the advanced directive syntax. That looks like this: For example, The script_name subdirective helps the cgi module to separate the path to the script from the (virtual) path afterwards (which shall be passed to the script). env can be used to define a list of key=value environment variable pairs that shall be passed to the script. pass_env can be used to define a list of environment variables of the Caddy process that shall be passed to the script. If your CGI application runs properly at the command line but fails to run from Caddy it is possible that certain environment variables may be missing. For example, the ruby gem loader evidently requires the HOME environment variable to be set; you can do this with the subdirective pass_env HOME. Another class of problematic applications require the COMPUTERNAME variable. The pass_all_env subdirective instructs Caddy to pass each environment variable it knows about to the CGI excutable. This addresses a common frustration that is caused when an executable requires an environment variable and fails without a descriptive error message when the variable cannot be found. These applications often run fine from the command prompt but fail when invoked with CGI. The risk with this subdirective is that a lot of server information is shared with the CGI executable. Use this subdirective only with CGI applications that you trust not to leak this information. If you run into unexpected results with the CGI plugin, you are able to examine the environment in which your CGI application runs. To enter inspection mode, add the subdirective inspect to your CGI configuration block. This is a development option that should not be used in production. When in inspection mode, the plugin will respond to matching requests with a page that displays variables of interest. In particular, it will show the replacement value of {match} and the environment variables to which your CGI application has access. For example, consider this example CGI block: When you request a matching URL, for example, the Caddy server will deliver a text page similar to the following. The CGI application (in this case, wapptclsh) will not be called. This information can be used to diagnose problems with how a CGI application is called. To return to operation mode, remove or comment out the inspect subdirective. In this example, the Caddyfile looks like this: Note that a request for /show gets mapped to a script named /usr/local/cgi-bin/report/gen. There is no need for any element of the script name to match any element of the match pattern. The contents of /usr/local/cgi-bin/report/gen are: The purpose of this script is to show how request information gets communicated to a CGI script. Note that POST data must be read from standard input. In this particular case, posted data gets stored in the variable POST_DATA. Your script may use a different method to read POST content. Secondly, the SCRIPT_EXEC variable is not a CGI standard. It is provided by this middleware and contains the entire command line, including all arguments, with which the CGI script was executed. When a browser requests the response looks like When a client makes a POST request, such as with the following command the response looks the same except for the following lines: This small example demonstrates how to write a CGI program in Go. The use of a bytes.Buffer makes it easy to report the content length in the CGI header. When this program is compiled and installed as /usr/local/bin/servertime, the following directive in your Caddy file will make it available:

v1.11.4 • 6 years ago

github.com/Anmol346/gofpdf

v1.16.2 • 6 years ago

github.com/torlangballe/gofpdf/v2

v2.17.2 • 6 years ago

github.com/otaviobaldan/gofpdf

v1.16.2 • 6 years ago

github.com/happyreturns/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. - UTF-8 support - Choice of measurement unit, page format and margins - Page header and footer management - Automatic page breaks, line breaks, and text justification - Inclusion of JPEG, PNG, GIF, TIFF and basic path-only SVG images - Colors, gradients and alpha channel transparency - Outline bookmarks - Internal and external links - TrueType, Type1 and encoding support - Page compression - Lines, Bézier curves, arcs, and ellipses - Rotation, scaling, skewing, translation, and mirroring - Clipping - Document protection - Layers - Templates - Barcodes - Charting facility - Import PDFs as templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. gofpdf supports UTF-8 TrueType fonts and “right-to-left” languages. Note that Chinese, Japanese, and Korean characters may not be included in many general purpose fonts. For these languages, a specialized font (for example, NotoSansSC for simplified Chinese) can be used. Also, support is provided to automatically translate UTF-8 runes to code page encodings for languages that have fewer than 256 glyphs. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running go test ./... is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you’ll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory and if the third argument to ComparePDFFiles() in internal/example/example.go is true. (By default it is false.) The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). You should use AddUTF8Font() or AddUTF8FontFromBytes() to add a TrueType UTF-8 encoded font. Use RTL() and LTR() methods switch between “right-to-left” and “left-to-right” mode. In order to use a different non-UTF-8 TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run “go build”. This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include Google Fonts and DejaVu Fonts. The draw2d package is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the contrib directory. Here are guidelines for making submissions. Your change should - be compatible with the MIT License - be properly documented - be formatted with go fmt - include an example in fpdf_test.go if appropriate - conform to the standards of golint and go vet, that is, golint . and go vet . should not generate any warnings - not diminish test coverage Pull requests are the preferred means of accepting your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package’s code and documentation are closely derived from the FPDF library created by Olivier Plathey, and a number of font and image resources are copied directly from it. Bruno Michel has provided valuable assistance with the code. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image’s extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Jelmer Snoek and Guillermo Pascual augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Paulo Coutinho provided support for static embedded fonts. Dan Meyers added support for embedded JavaScript. David Fish added a generic alias-replacement function to enable, among other things, table of contents functionality. Andy Bakun identified and corrected a problem in which the internal catalogs were not sorted stably. Paul Montag added encoding and decoding functionality for templates, including images that are embedded in templates; this allows templates to be stored independently of gofpdf. Paul also added support for page boxes used in printing PDF documents. Wojciech Matusiak added supported for word spacing. Artem Korotkiy added support of UTF-8 fonts. Dave Barnes added support for imported objects and templates. Brigham Thompson added support for rounded rectangles. Joe Westcott added underline functionality and optimized image storage. Benoit KUGLER contributed support for rectangles with corners of unequal radius, modification times, and for file attachments and annotations. - Remove all legacy code page font support; use UTF-8 exclusively - Improve test coverage as reported by the coverage tool. Example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retrieved with the output call where it can be handled by the application.

v1.6.1 • 2 years ago

github.com/jkhelil/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. However, support is provided to translate UTF-8 runes to code page encodings. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory. The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Additionally, he augmented the basic HTML functionality with aligned text. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retreived with the output call where it can be handled by the application.

v0.0.0-20151108165848-0d15f36c67d7 • 10 years ago

github.com/nono/gofpdf

v0.0.0-20140502165310-a42eb94bbe69 • 11 years ago

github.com/cwimmer/gofpdf

v1.16.2 • 6 years ago

github.com/krhubert/gofpdf

v1.17.3 • 4 years ago

github.com/todostreaming/gofpdf

Package gofpdf implements a PDF document generator with high level support for text, drawing and images. • Choice of measurement unit, page format and margins • Page header and footer management • Automatic page breaks, line breaks, and text justification • Inclusion of JPEG, PNG, GIF and basic path-only SVG images • Colors, gradients and alpha channel transparency • Outline bookmarks • Internal and external links • TrueType, Type1 and encoding support • Page compression • Lines, Bézier curves, arcs, and ellipses • Rotation, scaling, skewing, translation, and mirroring • Clipping • Document protection • Layers • Templates gofpdf has no dependencies other than the Go standard library. All tests pass on Linux, Mac and Windows platforms. Like FPDF version 1.7, from which gofpdf is derived, this package does not yet support UTF-8 fonts. However, support is provided to translate UTF-8 runes to code page encodings. To install the package on your system, run Later, to receive updates, run The following Go code generates a simple PDF file. See the functions in the fpdf_test.go file (shown as examples in this documentation) for more advanced PDF examples. If an error occurs in an Fpdf method, an internal error field is set. After this occurs, Fpdf method calls typically return without performing any operations and the error state is retained. This error management scheme facilitates PDF generation since individual method calls do not need to be examined for failure; it is generally sufficient to wait until after Output() is called. For the same reason, if an error occurs in the calling application during PDF generation, it may be desirable for the application to transfer the error to the Fpdf instance by calling the SetError() method or the SetErrorf() method. At any time during the life cycle of the Fpdf instance, the error state can be determined with a call to Ok() or Err(). The error itself can be retrieved with a call to Error(). This package is a relatively straightforward translation from the original FPDF library written in PHP (despite the caveat in the introduction to Effective Go). The API names have been retained even though the Go idiom would suggest otherwise (for example, pdf.GetX() is used rather than simply pdf.X()). The similarity of the two libraries makes the original FPDF website a good source of information. It includes a forum and FAQ. However, some internal changes have been made. Page content is built up using buffers (of type bytes.Buffer) rather than repeated string concatenation. Errors are handled as explained above rather than panicking. Output is generated through an interface of type io.Writer or io.WriteCloser. A number of the original PHP methods behave differently based on the type of the arguments that are passed to them; in these cases additional methods have been exported to provide similar functionality. Font definition files are produced in JSON rather than PHP. A side effect of running "go test ./..." is the production of a number of example PDFs. These can be found in the gofpdf/pdf directory after the tests complete. Please note that these examples run in the context of a test. In order run an example as a standalone application, you'll need to examine fpdf_test.go for some helper routines, for example exampleFilename() and summary(). Example PDFs can be compared with reference copies in order to verify that they have been generated as expected. This comparison will be performed if a PDF with the same name as the example PDF is placed in the gofpdf/pdf/reference directory. The routine that summarizes an example will look for this file and, if found, will call ComparePDFFiles() to check the example PDF for equality with its reference PDF. If differences exist between the two files they will be printed to standard output and the test will fail. If the reference file is missing, the comparison is considered to succeed. In order to successfully compare two PDFs, the placement of internal resources must be consistent and the internal creation timestamps must be the same. To do this, the methods SetCatalogSort() and SetCreationDate() need to be called for both files. This is done automatically for all examples. Nothing special is required to use the standard PDF fonts (courier, helvetica, times, zapfdingbats) in your documents other than calling SetFont(). In order to use a different TrueType or Type1 font, you will need to generate a font definition file and, if the font will be embedded into PDFs, a compressed version of the font file. This is done by calling the MakeFont function or using the included makefont command line utility. To create the utility, cd into the makefont subdirectory and run "go build". This will produce a standalone executable named makefont. Select the appropriate encoding file from the font subdirectory and run the command as in the following example. In your PDF generation code, call AddFont() to load the font and, as with the standard fonts, SetFont() to begin using it. Most examples, including the package example, demonstrate this method. Good sources of free, open-source fonts include http://www.google.com/fonts/ and http://dejavu-fonts.org/. The draw2d package (https://github.com/llgcode/draw2d) is a two dimensional vector graphics library that can generate output in different forms. It uses gofpdf for its document production mode. gofpdf is a global community effort and you are invited to make it even better. If you have implemented a new feature or corrected a problem, please consider contributing your change to the project. A contribution that does not directly pertain to the core functionality of gofpdf should be placed in its own directory directly beneath the `contrib` directory. Here are guidelines for making submissions. Your change should • be compatible with the MIT License • be properly documented • be formatted with `go fmt` • include an example in fpdf_test.go if appropriate • conform to the standards of golint (https://github.com/golang/lint) and go vet (https://godoc.org/golang.org/x/tools/cmd/vet), that is, `golint .` and `go vet .` should not generate any warnings • not diminish test coverage (https://blog.golang.org/cover) Pull requests (https://help.github.com/articles/using-pull-requests/) work nicely as a means of contributing your changes. gofpdf is released under the MIT License. It is copyrighted by Kurt Jung and the contributors acknowledged below. This package's code and documentation are closely derived from the FPDF library (http://www.fpdf.org/) created by Olivier Plathey, and a number of font and image resources are copied directly from it. Drawing support is adapted from the FPDF geometric figures script by David Hernández Sanz. Transparency support is adapted from the FPDF transparency script by Martin Hall-May. Support for gradients and clipping is adapted from FPDF scripts by Andreas Würmser. Support for outline bookmarks is adapted from Olivier Plathey by Manuel Cornes. Layer support is adapted from Olivier Plathey. Support for transformations is adapted from the FPDF transformation script by Moritz Wagner and Andreas Würmser. PDF protection is adapted from the work of Klemen Vodopivec for the FPDF product. Lawrence Kesteloot provided code to allow an image's extent to be determined prior to placement. Support for vertical alignment within a cell was provided by Stefan Schroeder. Ivan Daniluk generalized the font and image loading code to use the Reader interface while maintaining backward compatibility. Anthony Starks provided code for the Polygon function. Robert Lillack provided the Beziergon function and corrected some naming issues with the internal curve function. Claudio Felber provided implementations for dashed line drawing and generalized font loading. Stani Michiels provided support for multi-segment path drawing with smooth line joins, line join styles, enhanced fill modes, and has helped greatly with package presentation and tests. Templating is adapted by Marcus Downing from the FPDF_Tpl library created by Jan Slabon and Setasign. Jelmer Snoeck contributed packages that generate a variety of barcodes and help with registering images on the web. Additionally, he augmented the basic HTML functionality with aligned text. Kent Quirk implemented backwards-compatible support for reading DPI from images that support it, and for setting DPI manually and then having it properly taken into account when calculating image size. Bruno Michel has provided valuable assistance with the code. • Handle UTF-8 source text natively. Until then, automatic translation of UTF-8 runes to code page bytes is provided. • Improve test coverage as reported by the coverage tool. This example demonstrates the generation of a simple PDF document. Note that since only core fonts are used (in this case Arial, a synonym for Helvetica), an empty string can be specified for the font directory in the call to New(). Note also that the example.Filename() and example.Summary() functions belong to a separate, internal package and are not part of the gofpdf library. If an error occurs at some point during the construction of the document, subsequent method calls exit immediately and the error is finally retreived with the output call where it can be handled by the application.

v0.0.0-20160309190112-bcfb7a87cbd1 • 9 years ago

github.com/dihedron/gofpdf

v1.4.2 • 5 years ago

13 4 5

Content Management System

github.com/kckrinke/go-cdk

github.com/padraicbc/ponzu/content

rescribe.xyz/bookpipeline

github.com/Ambrevar/Demlo

github.com/Jung-kurt/gofpdf

github.com/H0llyW00dzZ/fiber2fa

github.com/falzm/chaos

github.com/ejfhp/gofpdf/v2

github.com/telekom-security/gofpdf

github.com/telekom-security/gofpdf/v3

github.com/jung-kurt/caddy-pubsub

github.com/jorgeadev/gofpdf

github.com/sprucehealth/gofpdf

github.com/queueup-dev/gofpdf

github.com/saisiyun/gofpdf

github.com/ycabrer/evapi-golang

github.com/ejfhp/gofpdf

github.com/Said6289/gofpdf

github.com/somat/gofpdf

github.com/royge/gofpdf

github.com/mfojtik/cslb

github.com/gertjanwytynck/gofpdf

github.com/gitdlam/gofpdf

github.com/Clarilab/gofpdf

github.com/0xazure/gofpdf

github.com/markdingo/cslb

github.com/pjtatlow/gofpdf

github.com/rubenhazelaar/gofpdf

github.com/mkasner/gofpdf

github.com/d0ngw/gofpdf

github.com/benchiboy/gofpdf

github.com/tianlin/ora

github.com/freeman983/ora

github.com/torlangballe/gofpdf

github.com/DesignersAxis/gofpdf

github.com/marcelmiguel/gofpdf

github.com/xigh/gofpdf

github.com/chris-skud/gofpdf

github.com/aksdb/caddy-cgi

github.com/Anmol346/gofpdf

github.com/torlangballe/gofpdf/v2

github.com/otaviobaldan/gofpdf

github.com/DeedleFake/fyner

github.com/happyreturns/gofpdf

github.com/jkhelil/gofpdf

github.com/nono/gofpdf

github.com/cwimmer/gofpdf

github.com/krhubert/gofpdf

github.com/todostreaming/gofpdf

github.com/dihedron/gofpdf