API access and API keys

·

SummitPSA ships a REST API (v1) for integrating with your own tools and scripts. Requests authenticate with a Bearer API key, and each key carries fine-grained permissions.

Create an API key

  1. Go to Admin → API keys.
  2. Name the key, optionally tie it to an agent (so created tickets are attributed to them), and tick the permissions per module — view, create, edit for tickets, companies, contacts, assets, projects, knowledge base, and finance.
  3. Save. The full key (prefixed xva_) is shown once — copy it immediately. Only a bcrypt hash is stored.

Keys can be revoked (deactivated) or deleted at any time, and the list shows each key's last-used time.

Authenticating

Send the key as a Bearer token on every request:

Authorization: Bearer xva_your_key_here

Missing, malformed, expired, or revoked keys return 401; a key lacking the required module permission returns 403.

Endpoints (v1)

MethodPathPurpose
GET/api/v1/healthStatus check (no auth)
GET/api/v1/ticketsList tickets (filter by status, priority; paginated)
GET/api/v1/tickets/{id}Ticket detail with client-visible replies
POST/api/v1/ticketsCreate a ticket (title required)
PUT/api/v1/tickets/{id}Update status, priority, or assignee
GET/api/v1/companies, /companies/{id}List / detail companies
GET/api/v1/contactsList contacts (filter by company, search)
GET/api/v1/assetsList assets (filter by company, status)

Example

curl -H "Authorization: Bearer xva_your_key_here" \
  https://your-install/api/v1/tickets?status=open&per_page=20

List endpoints are paginated — use page and per_page (max 50). Grant a key only the permissions its integration actually needs.

Was this article helpful?
Still need help? Contact SummitPSA support.