API publishing

Learn about how to prepare your project to publish an API.

Endpoints are made accessible outside of Xapix in one of two ways:

  • Enable API publishing and let users sign up for a basic authorization token (admin API-token).

  • Disable API publishing which disables authentication.

Typically, you do the following on the API Publishing page:


API Publishing, when enabled, allows for managing user access to a project's APIs.

Public URL is the base URL for the endpoint. It is provided to users to request an authentication token and to gain access to projects to which they have been given access.

Rate Limit Stores are caches used to store data to improve API call performance. They must first be defined in Cache Connections before they become available for selection in the Settings section of the the API Publishing page. Currently, caches can be either Redis or Memcached.

Access Roles are profiles that determine which resources a user will be able to access. It limits a public user's access to an API based on a defined rate limit (for example only 60 requests per day), a role type, and zero or more endpoints in a project. These access roles can then be assigned to specific users in the User Management page.

Rate limiting is the number of requests that can be made to an API per window (a specific time period). For example, an API can have 1000 request per hour (window) but this is the total number of requests. This can be done to prevent an overloading of a system's infrastructure such as might be caused by a DoS (Denial of Service) attack or a DDoS (distributed denial-of-service) attack. Additionally, if requests to an API starts to become more active, the rate limit can be adjusted in steps to achieve optimum performance for users. A Rate Limit Store must be selected to use Rate Limiting.

Cross-Origin Resource Sharing (CORS) allows AJAX requests to an API (endpoint) from a browser. Specific origin hosts can be set or all AJAX requests can be allowed.

Admin API Token is a bearer token that becomes available only after API Publishing is enabled. It can be copied and used for accessing your endpoints.

Bearer Token Expires Daily - For security reasons, the bearer token is refreshed daily. You will need to update the token if you republish the project after the token has expired, usually after a period of 24 hours.