# Using the Flex API Flex API is designed for advanced users. You will need advanced server skills to be able to use the Ixkio Flex API. Please be aware that Ixkio cannot provide code or advice on how your server or app would access the API, only how to configure our platform and responses. The NFC tags will link to your third party server first. Your server will extract parameters from the URL and make an API request to the ixkio platform. Ixkio will then respond to your server verifying the tag details. ![API](https://770176883-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1m32V4WVDRdj0RaSFSm5%2Fuploads%2F4KcBIJCkoeCEw6VtPc8W%2FAPI.png?alt=media\&token=7c656bf7-10df-496a-9fb9-86a78fca2097) These pages discuss accessing the API for the purposes of using the API Response Mode. ## Accessing the API The ixkio API is accessed at the following endpoint via : ``` GET https://api.ixkio.com/v1/t ``` {% hint style="warning" %} All requests must be over HTTPS {% endhint %} You can access the API either by using : * the ixkio system's tag XUID * the tag's CUID (a UID that you set per tag) and your [AID](https://docs.ixkio.com/account-management/account-information#account-id) (account ID) * or the tag's UID and your AID. Parameters should be passed in the query string as follows : #### XUID > x={XUID} > > Example : GET The Tag Code (XUID) needs to be added to all API GET requests unless you wish to access the tag using your CUID or UID. As the XUID is unique across the entire ixkio platform, there is no need to include any additional identifier or your AID with this request type. If you are not using authentication tags, then this can be the only parameter you need to include to generate a response from the API. #### CUID or UID > c={CUID} > > Example : GET or > u={UID} > > Example : GET If you access the API using the [CUID](https://docs.ixkio.com/features/meta-data/core-data#custom-uid-cuid) or [UID](https://docs.ixkio.com/features/meta-data/core-data#uid), then you do not need to include the XUID in the API request. However, you must also include your [AID ](https://docs.ixkio.com/account-management/account-information#account-id)(Account ID). The UID or CUID data must have been uploaded into the ixkio platform prior to the API request. {% hint style="info" %} The CUID parameter is case sensitive search - ABC123 is not the same CUID as abc123. The UID parameter must always be uppercase. {% endhint %} ## API Response The API Response will follow the Rules configured for that Tag Code (or inherited by that Tag Code from the Tag Group). For this example, we will assume that a simple configuration has been created with an Active Folder > Tag Group (standard type) > Batch > Tag Code. We will also assume that a 'Default API Response' has been set at the Tag Group level. In this example, we will simply use a Default API Response of 'Found'. We will be testing a tag XUID of 'q8w3sbcz'. The API request is made to : ``` GET https://api.ixkio.com/v1/t?x=q8w3sbcz ``` The API will return a JSON response in the format : ```json { "xuid": "q8w3sbcz", "response": "Found" } ``` Error responses will be provided as : ```json { "xuid": "q8w3sbcz", "error": "batch_inactive" } ``` ### Response to CUID or UID requests If your request is via the CUID or UID method, then a successful response will return only the CUID and the associated XUID. For example, a request for : ``` GET https://api.ixkio.com/v1/t?a=youraid&c=yourcuid ``` will generate a successful response of : ```json { "xuid": "q8w3sbcz", "cuid": "yourcuid", "response": "Found" } ``` (where 'Found' is the API Response entered into your Tag Group or Tag Code Rule) However, a failed response for an incorrect AID will return an error : ```json { "xuid": "", "cuid": "yourcuid", "error": "aid_not_found" } ``` where a not found CUID will return : ```json { "xuid": "", "cuid": "yourcuid", "error": "cuid_not_found" } ``` For API information for authentication NFC tags, read the [API Mode for Authentication](https://docs.ixkio.com/flex-api/flex-api-getting-started/flex-api-ntag424-authentication). {% hint style="info" %} The HTTP response status code for **all** responses is 200 OK. {% endhint %} ## API settings API settings are controlled at the Folder level and affect all Tag Groups, Batches and Tags under that Folder. It's possible to set different API settings on different Folders to allow different access options. Navigate to the API Folder Level, then the API Settings panel to make changes to the settings. ### API Tokens By default, access to your API does not require any token. However, you can set token access in the API settings to restrict access. An alphanumeric token up to 32 characters in length can be added into the API Token field. The API Token can then be passed in either GET query string using the parameter 'r', for example : > r={API\_TOKEN} > > Example : GET Alternatively, you can pass the token in the GET Header request using any one of the keys X-API-Key, X-Api-Key or Ixkio-R. ### CORS [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) (Cross-Origin Resource Sharing) is a security mechanism designed to control which domains a browser can access resources from. For most use cases, you can leave this field blank but for some use cases, you can modify the `Access-Control-Allow-Origin` response. #### No setting (default) If you leave the CORS setting blank, then the API response will be returned without an Access-Control-Allow-Origin header. #### \* Entering a \* into the CORS field will allow access from any domain. #### Domain Entering a specific domain, such as (no trailing slash), will activate the Access-Control-Allow-Origin header response with the value of the domain entered. The CORS field will accept a single domain value up to 100 characters in length. ## Rate Limits Access to the API is rate limited and monitored to maintain overall service levels. However, under all normal NFC use cases, users would not hit any limits. We will contact you if our systems flag any unusual or high volume access. ## Using Authentication NFC Tags {% hint style="warning" %} We strongly advise creating a new Batch for each set of authentication tags, even if it's simply a repeat order. {% endhint %} ### Seritag Encoding If you are purchasing your NTAG424 tags from Seritag, you can ask for them to be encoded before shipping. In this instance, Seritag will encode the tags and store the encryption keys against each tag. ### Ixkio App Encoding You can use the ixkio mobile app to encode authentication tags for Flex API. Note that the Ixkio App currently only supports CMAC authentication encoding not PICCData/Meta encoding. If you are intending to use PICCData/Meta as well, then tags need to be encoded by Seritag (or you can encode yourself) Read the guide here on how to configure the console for encoding Tags to your auth landing page. {% content-ref url="../../mobile-app/mobile-app-functions/encode/api-response-mode-encoding" %} [api-response-mode-encoding](https://docs.ixkio.com/mobile-app/mobile-app-functions/encode/api-response-mode-encoding) {% endcontent-ref %} ### Encoding Tags Yourself If you can encode the NTAG424 tags yourself, you can upload the keys into the ixkio platform. * Create the Tag Codes in a new Batch in your Console * Download the XUID (*Batch Function Panel > Download*) * If required, use the XUID list to add your own CUID using [Associate Data](https://docs.ixkio.com/features/associate-data) * Generate your own keys and create an Associate Data file with the header XUID,KEY * Upload your Keys into the ixkio platform at *Batch Function Panel > Keys*