General

Authentication

There are 4 user access levels:

User type	Access level
Administrator	admin
Planner	plan
Shop team	shop
Auditor	audit

All REST API requests must be authenticated by including an X-Auth-Token header containing either:

• The API key accessible to administrators in the options window.

• A session token obtained using /login

Request conventions

• Requests containing JSON bodies must include the Content-Type: application/json header

• The JSON bodies of PATCH requests should be JSON objects whose keys are any subset of the fields of the type of object they are patching. Unknown fields will be silently ignored.

• Query parameters are all optional unless otherwise noted.

• The following values are considered “true” for boolean parameters, and all others are considered “false”:

  • 1

  • true

  • on

  • yes

  • y

  • checked

• Dates should always be in YYYY-MM-DD format

• Times should always be in HH:MM (24-hour clock) format

• Timestamps (date and time together) should always be in UTC as UNIX timestamps (using floating point numbers for sub-second precision is allowed, but not required)

Response conventions

• Responses containing JSON bodies will include the Content-Type: application/json header

• Responses to requests that create or modify objects will contain the new object in their body.

• Errors will result in a 4xx (client error) or 5xx (server error) response code and a body with a JSON object containing at least an error field with a short, user-presentable error message detailing the problem.

• For errors occurring when an action requires a higher user level than the current login, a second allowed field will be present containing an array of users who are allowed to perform that action.

• Date+time values are returned as UNIX timestamps (UTC) with decimal milliseconds that can be safely truncated to integers for most applications.

• Unless specified otherwise, endpoints will return 200 OK on success.

Internal server errors

When status 500 is reported, you may wish to check the Content-Disposition header. If it starts with attachment, the response body is a support file that can be sent to Wolfram Manufacturing for troubleshooting.

Root endpoints

GET /api/

Check API access.

Example response

 {
     "application": "OnTakt",
     "version": "4.8.7",
     "user": {
         "access_level": "admin",
         "username": "admin"
     }
 }

Returns the version of OnTakt and the currently authenticated access level.

POST /api/restart

Restart OnTakt.

Status Codes:

• 501 Not Implemented – if OnTakt is running in a way that it cannot restart itself

• 204 No Content – on success

POST /api/backup

Perform a database backup.

Status Codes:

• 502 Bad Gateway – if the database dump utility exits with an error

• 503 Service Unavailable – if the database dump utility cannot be started

Returns:

the resulting dump as a file download