1. Overview

Spotfire Server REST API for License Management.

1.1. Version information

Version : 1

1.2. Tags

  • licenses : Spotfire Server License management API

2. Authentication and authorization

The API uses the OAuth 2.0 protocol for authentication and authorization, with the Spotfire Server itself as Authorization Server.

Note: The API does not use HTTP sessions so there is no need to maintain session cookies.

Note: All communication should always be done over HTTPS when using OAuth 2.0.

2.1. Basic steps

  1. Register an API client using the register-api-client command to obtain client credentials.

    When registering the client you specify what type of client it is, what grants and scopes the client should be able to use etc.

  2. Obtain an access token using one of the following alternatives

    • To use the Authorization Code grant follow the instructions in section 4.1 of RFC 6749.

    • To use the Client Credentials grant follow the instructions in section 4.4 of RFC 6749.

    • To use a Refresh Token follow the instructions in section 6 of RFC 6749.

      Additional information on how to get the access token

    • The OAuth 2.0 Authorization Server Metadata (RFC 8414) can be retrieved from: http[s]://<host>[:<port>]/spotfire/.well-known/oauth-authorization-server

    • The Authorization Endpoint can be accessed at: http[s]://<host>[:<port>]/spotfire/oauth2/auth

    • The Token Endpoint can be accessed at: http[s]://<host>[:<port>]/spotfire/oauth2/token

    • When calling the Token Endpoint the client must authenticate using the HTTP Basic authentication scheme as described in section 2.3.1 of RFC 6749, using the credentials obtained when registering the client (unless the client profile is native or user_agent, in which case no credentials are issued).

    • The initial request (to the Authorization Endpoint in the case of the Authorization Code grant, or to the Token Endpoint in the case of the Client Credentials grant) must include any and all scopes required to access the services that the client intend to access (see the documentation of each service for details).

  3. Include the access token in all requests to the API, in an Authorization header as described in section 2.1 of RFC 6750.

    • The access token has a limited lifetime, after which a new token must be obtained by repeating step 2.

    • An access token is only valid for the services and operations described in the scope parameter provided when obtaining the access token. The available scopes are described in the documentation for each service.

2.2. Additional information

  • Four client profiles are supported: other, web, native and user_agent. The profile other should be used by a typically headless application performing requests on its own behalf. The profile web should be used by a server-side web application performing requests on behalf of an end-user. The profile native should be used by a native client, such as an iOS or Android app, performing requests on behalf of an end-user. The profile user_agent should be used by a client-side (JavaScript) web application, performing requests on behalf of an end-user.

  • The Authorization Code, Client Credentials and Refresh Token grants are supported.

  • Clients with profile web, native or user_agent can only use the Authorization Code and Refresh Token grants. Clients with profile other can only use the Client Credentials grant.

  • Refresh tokens MAY be issued to allow access also when no end-user is present (useful when for example performing periodic uploads or similar). To request a refresh token to be issued the scope offline should be included in the request to the Authorization Endpoint. For more information see section 1.5 of RFC 6749.

    • Refresh tokens that are no longer needed SHOULD be revoked, as described in RFC 7009.

  • Public clients (clients without client credentials) MUST use PKCE (RFC 7636). Confidential clients MAY use _PKCE.

  • Native clients can use any of the three ways of receiving the response listed in section 7 of RFC 8252.

    • To use Private-Use URI Scheme Redirection a custom URI scheme must be registered when registering the client.

    • To use Claimed "https" Scheme URI Redirection an authorized redirect URI must be registered when registering the client.

    • Loopback Interface Redirection is supported for all native clients. The scheme must be http. The host must be either 127.0.0.1 (IPv4) or [::1] (IPv6). The path can be either / or /auth. The port is variable.

  • Native clients SHOULD adhere to the guidelines outlined in OAuth 2.0 for Native Apps (RFC 8252).

  • All clients SHOULD implement support for OAuth 2.0 Authorization Server Issuer Identification (RFC 9207).

3. API Endpoint URLs

All API services can be accessed at the following location, where ServicePath is one of the entries in the Resources listing below:

http[s]://<host>[:<port>]/spotfire/api/rest/licenses/v1/<ServicePath>

Example:

https://example.com:8443/spotfire/api/rest/licenses/v1

You can download the Open API Specification (OAS) for this REST API as a JSON file from the Spotfire Server at http[s]://<host>[:<port>]/spotfire/api/v2/api-docs?group=license. This OAS file can be accessed at this location by all authenticated users (unless disabled through configuration). The OAS file can be used to generate client stubs, which will contain all types and methods that can be used with the API.

You can also browse the OAS for this REST API using the Swagger UI, available at http[s]://<host>[:<port>]/spotfire/api/swagger-ui.html?urls.primaryName=license

4. Usage

This API is used to read, add, modify & delete the Spotfire licenses. All calls assume that a successful authentication has been made, see above.

Note
 Clients should be as resilient as possible, e.g. they should be able to handle any 4XX or 5XX http status codes and not just the ones documented here.
Note
 In later versions of this API, additional JSON properties might be added. Make the JSON response parsing done by the API client forgiving, so it can accept unexpected properties and different ordering.

5. Resources

5.1. License-Management

5.1.1. List all licenses and license functions

GET /
Description

Returns all the licenses and license functions that exist in the system.

Responses
HTTP Code Description Schema

200

The set of all licenses and license functions that exist in the system.

<License> array

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.2. List licenses and functions enabled for a user

GET /users/{userId}
Description

Returns all licenses and license functions that are enabled for a certain user.

Parameters
Type Name Description Schema Example

Path

userId
required

User ID to list the licenses for.

string
Responses
HTTP Code Description Schema

200

The set of all licenses and license functions that are enabled for a certain user.

<License> array

400

Invalid user ID not valid or not found.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.3. List license functions enabled for a group

GET /{licenseName}/groups/{groupId}
Description

Returns all license functions that are enabled for a certain group.

Parameters
Type Name Description Schema Example

Path

groupId
required

Group ID to query.

string

Path

licenseName
required

License name to list the license functions for.

string

Query

includingHeritage
optional

If false the operation will return the license functions that are explicitly set on this group, if true then the license functions enabled through group membership as well as explicitly set on this group will be returned. Default value is false.

boolean
Responses
HTTP Code Description Schema

200

The set of all license functions that are enabled for a certain group.

<LicenseFunction> array

400

Invalid group ID or license, or not found.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.4. Set a license for a group

PUT /{licenseName}/groups/{groupId}
Description

Sets the license and license functions for a certain group. If license functions is empty or null then all license functions are enabled. Note that the caller has to be an Administrator.

Parameters
Type Name Description Schema Example

Path

groupId
required

Group ID to set the license for.

string

Path

licenseName
required

License name to set.

string

Body

Body
required

The license functions to enable, if empty then all license functions for this license are enabled.
Responses
HTTP Code Description Schema

204

The update was successful.

400

Invalid group Id, license, or function(s), or not found.

ErrorResponse

403

Caller not authorized as they are not an administrator or lacking the LICENSE_WRITE_API authorization scope.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Consumes

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.5. Remove a license for a group

DELETE /{licenseName}/groups/{groupId}
Description

Remove a license set explicitly on a group. Note that the group might still have that license implicitly enabled through other group membership.

Parameters
Type Name Description Schema Example

Path

groupId
required

Group ID to remove the license for.

string

Path

licenseName
required

License name to remove.

string
Responses
HTTP Code Description Schema

204

The delete was successful.

400

Invalid group ID or license, or not found.

ErrorResponse

403

Caller not authorized as they are not an administrator or lacking the LICENSE_WRITE_API authorization scope.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.6. List licenses enabled for a group

GET /groups/{groupId}
Description

Returns all licenses that are enabled for a certain group.

Parameters
Type Name Description Schema Example

Path

groupId
required

Group ID to query.

string

Query

includingHeritage
optional

If false the operation will return the licenses that are explicitly set on this group, if true then the licenses enabled through group membership as well as explicitly set on this group will be returned. Default value is false.

boolean
Responses
HTTP Code Description Schema

200

The set of all licenses that are enabled for a certain group.

<License> array

400

Invalid group ID or not found.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.7. List all license functions

GET /{licenseName}/functions
Description

Returns all license functions that exist for a certain license.

Parameters
Type Name Description Schema Example

Path

licenseName
required

License name to list functions for.

string
Responses
HTTP Code Description Schema

200

The set of license functions that exist for a certain license.

<LicenseFunction> array

400

License name not valid.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

5.1.8. List license functions enabled for a user

GET /{licenseName}/users/{userId}
Description

Returns all licenses functions that are enabled for a certain user.

Parameters
Type Name Description Schema Example

Path

licenseName
required

License name to list the license functions for.

string

Path

userId
required

User ID to list the license functions for.

string
Responses
HTTP Code Description Schema

200

The set of all license functions that are enabled for a certain user.

<LicenseFunction> array

400

License not passed.

ErrorResponse

500

Internal server error.

ErrorResponse

503

Server busy.

ErrorResponse
Produces

  • application/json

Security
Type Name Scope

oauth2

spotfire-api-oauth2

api.licenses.read

oauth2

spotfire-api-oauth2

api.licenses.write

6. Definitions

6.1. LicenseFunction

License function details.

Name Description Schema

name
optional

Name of the license function.
Example : "useExternalActions"

string

displayName
optional

Display name of the license function.
Example : "Use External Actions"

string

6.2. License

License details alongside a collection of license functions.

Name Description Schema

name
optional

License name and ID.
Example : "Spotfire.Dxp.WebPlayer"

string

displayName
optional

License display name.
Example : "Spotfire Consumer"

string

licenseFunctions
optional

A set of license functions.

<LicenseFunction> array

6.3. Error

Name Description Schema

code
optional

A predefined error code.
Example : "internal_error"

string

description
optional

A description of the error.
Example : "An error occurred while processing the request"

string

6.4. ErrorResponse

Name Description Schema

error
optional

The error response with an error code and a description of the error.

Error

7. Security

7.1. spotfire-api-oauth2

Type : oauth2
Flow : application
Token URL : /spotfire/oauth2/token

Name Description

api.licenses.read

Reading from the licenses

api.licenses.write

Add/Modify the licenses

8. Common Responses

HTTP Code Description Reason

401

Not Authenticated

The client has not been authenticated

403

Not Authorized

The client is not authorized to access the requested resource

500

Internal Server Error

Something went wrong when the processing the request

9. Error Codes

A request to the API that results in an ErrorResponse will have a response body with the following format:

{
  "error": {
    "code": "server_busy",
    "description": "The server is currently too busy to handle the request"
  }
}

where description is a description of the error, and code can be one of the following predefined API error codes:

Error Code HTTP Status Description

invalid_request

400

The request was invalid or incomplete

precondition_failed

400

A precondition for the request was not met

bad_digest

400

The supplied digest is not valid or does not match the digest of the request body

not_authenticated

401

The API client is not authenticated

not_authorized

403

The API client is not authorized to access the requested resource

not_found

404

The requested resource cannot be found

job_unknown

404

The referenced job does not exist, or the client does not have access to it

method_not_allowed

405

The HTTP method is not allowed

already_exists

409

The resource already exists

limit_exceeded

413

A resource limit has been reached

unsupported_mediatype

415

The media type of the request payload is unsupported

rate_limit_exceeded

429

A resource limit has been reached

internal_error

500

The server encountered an error when processing the request

server_busy

503

The server is currently too busy to handle the request

10. Configuration

The API is enabled by default. To disable it or to make other configuration changes, use the config-web-service-api command. For more information see the section Configuration using the command line of the Spotfire© Server and Environment Installation and Administration manual.

11. Additional resources

For more information please refer to these resources: