In order to use API, you need to get an authorization token first.  

This could be done via an API call to Auth URL: invapi.hostkey.com/auth.php

The most important data is a token.  All information regarding your token data and permissions are stored on the API server, the rest of the data helps only to build a proper web interface for the specific role.
The token is valid for 2 hours by default. 

Auth actions:

ResourceActionDescription
auth.phpwhmcsloginObtains a session token
auth.phplogoutRemoves a session token
auth.phpinfoGets session token environment
eq.phpset_pinset/change PIN for the user
eq.phpcheck_pinvalidate entered PIN (optional)

Auth/Whmcslogin


HTTP Method - POST


ParameterRequiredType Value/defaultDescription
action    *        stringwhmcslogin    Main action - Obtains an access token
user      *        string              Your billing login
password  *        string              Your billing password
ttl                int   10800         Session lifetime in seconds, default 10800 (3 hours)
curl -s "https://invapi.hostkey.com/auth.php" -X POST \
--data "action=whmcslogin" \
--data "user=" \
--data "password="



Auth/Logout


HTTP Method - POST/GET


ParameterRequiredType Value/defaultDescription
action    *        stringlogout        Main action - logout will remove auth token from the database. Please do not forget to log out to avoid possible security issues
token     *        string              Token for expiration
curl -s "https://invapi.hostkey.com/auth.php" -X POST \
--data "action=logout" \
--data "token="

Auth/Info


HTTP Method - POST/GET


ParameterRequiredType Value/defaultDescription
action    *        stringinfo          Main action - info will return full data about your token including your server's identification numbers when you are logged in.
token     *        string              Your API token
curl -s "https://invapi.hostkey.com/auth.php" -X POST \
--data "action=info" \
--data "token="

Data in servers is a list of server's id which are linked to your billing account, you may use it later to manage it



PIN-codes

We are trying to keep our customer's servers safe, even in case of data leaks on the user's devices.  The system will ask for a PIN for every critical server's operation.

The PIN is a short password to keep equipment safe and should not be stored anywhere. We could only reset it via manual support request after extra security verification.

  • PINs hashes are stored very separately from our billing and inventory databases.
  • Most of the management functions will not work without or with an empty PIN. It should be set once.

Eq/Set_pin


HTTP Method - POST/GET


ParameterRequired Type Value/defaultDescription
action    *         stringset_pin       Main action - Set/Change PIN for the user
token     *         string              Your API token
old_pin   for changeint                 Old PIN code
new_pin   *         int                 New PIN code
curl -s "https://invapi.hostkey.com/eq.php" -X POST \
--data "action=set_pin" \
--data "token=" \
--data "old_pin=" \
--data "new_pin="

This action has an asynchronous response



Eq/Check_pin


HTTP Method - POST/GET


ParameterRequiredType Value/defaultDescription
action    *        stringcheck_pin     Main action - Validate entered PIN
token     *        string              Your API token
pin       *        int                 Your PIN code
curl -s "https://invapi.hostkey.com/eq.php" -X POST \
--data "action=check_pin" \
--data "token=" \
--data "pin="

This action has asynchronous response

After several failures API will return only failed responses with long delays to avoid bruteforce.


Tags: