API access and API keys
SummitPSA ships a REST API (v1) for integrating with your own tools and scripts. Requests authenticate with a Bearer API key, and each key carries fine-grained permissions.
Create an API key
- Go to Admin → API keys.
- Name the key, optionally tie it to an agent (so created tickets are attributed to them), and tick the permissions per module — view, create, edit for tickets, companies, contacts, assets, projects, knowledge base, and finance.
- Save. The full key (prefixed
xva_) is shown once — copy it immediately. Only a bcrypt hash is stored.
Keys can be revoked (deactivated) or deleted at any time, and the list shows each key's last-used time.
Authenticating
Send the key as a Bearer token on every request:
Authorization: Bearer xva_your_key_here
Missing, malformed, expired, or revoked keys return 401; a key lacking the required module permission returns 403.
Endpoints (v1)
| Method | Path | Purpose |
|---|---|---|
| GET | /api/v1/health | Status check (no auth) |
| GET | /api/v1/tickets | List tickets (filter by status, priority; paginated) |
| GET | /api/v1/tickets/{id} | Ticket detail with client-visible replies |
| POST | /api/v1/tickets | Create a ticket (title required) |
| PUT | /api/v1/tickets/{id} | Update status, priority, or assignee |
| GET | /api/v1/companies, /companies/{id} | List / detail companies |
| GET | /api/v1/contacts | List contacts (filter by company, search) |
| GET | /api/v1/assets | List assets (filter by company, status) |
Example
curl -H "Authorization: Bearer xva_your_key_here" \
https://your-install/api/v1/tickets?status=open&per_page=20
List endpoints are paginated — use
pageandper_page(max 50). Grant a key only the permissions its integration actually needs.
Was this article helpful?