Our site provides an extensive REST API to provide a way to consume and create data for third-party applications and websites.
Examples of things you could do includes automatically posting new mod releases from your GitHub via integration, authenticating TES3MP users against your Community members, and much more.
Authorization
There are two ways to authenticate requests to our REST API: using an API key (all versions), or using OAuth (4.3 and above).
When using an API key, all data is available and all actions can be performed. For example, if you send an API request to GET /forums/topics, every topic in the community will be in the results; if you send an API request to POST /forums/topics you can create a topic as any user on the community. It is therefore very important that you always keep the API Keys secret, and only grant access to the endpoints you intend to use. We only use these for our internal tools, though most still use OAuth with appropriately roled and scoped accounts.
Unlike with API keys, when accessing the REST API with OAuth, you will be providing an access token which has been granted to a specific user* and only data that user can see, and actions that user can perform are available. For example, if you send an API request to GET /forums/topics, only topics in forums that the authenticated user can see will be in the results; if you send an API request to POST /forums/topics the topic will be created as the authenticated user and that cannot be changed.
Some endpoints are only available when using one method or the other. For example, GET /core/me gets information about the authenticated user and so can only be used when authenticated with OAuth. Meanwhile, POST /forums/forums creates a forum, which is exclusively a site-level operation and so can only be used when authenticated with an API Key (though we can also authenticate with Client Credentials which will work similarly to using an API Key, giving full access to the API rather than as a specific user) . Some endpoints, while available to both methods, might accept different request parameters or have different response parameters for different methods which will be explained in the documentation.
Error Handling
When an error is encountered, you will receive a response like this:
{ "errorCode": "3S290\/7", "errorMessage": "INVALID_API_KEY" }
The possible error codes/messages for each endpoint are detailed within this documentation reference. In addition to the endpoint-specific errors, the following global errors may also be returned:
Code | Message | Description |
1S290/A or 1S290/C | IP_ADDRESS_BANNED | The IP address that is sending the request has been banned from the community. This may happen automatically if the IP Address has repeatedly sent many requests with invalid API keys. |
1S290/D | TOO_MANY_REQUESTS_WITH_BAD_KEY | The IP address that is sending the request has sent multiple requests with an invalid API key and so is prevented from sending any more requests for several minutes. |
2S290/6 | NO_API_KEY | No API key or OAuth access token was sent in the request. |
2S290/8 | IP_ADDRESS_NOT_ALLOWED | The API key was valid, but is configured to only be valid for requests coming from certain IP addresses and IP address the request was sent from is not in the allowed list. |
2S290/B | CANNOT_USE_KEY_AS_URL_PARAM | The API key was valid, but it is not configured to be used as URL authentication and must be used in AUTHORIZATION headers. |
3S290/7 | INVALID_API_KEY | The API key sent in the request is not valid. |
2S290/9 | INVALID_LANGUAGE | An X-IPS-Language header was sent in the request (which can be used to specify a language ID for the response), but its value was not valid. |
3S290/3 | INVALID_APP | The endpoint the request was sent to does not exist (the first level contains an invalid character, only alphanumerics are acceptable). |
3S290/4 | INVALID_CONTROLLER | The endpoint the request was sent to does not exist (the second level contains an invalid character, only alphanumerics are acceptable). |
2S290/1 | INVALID_APP | The endpoint the request was sent to does not exist (the first level does not exist). |
1S290/2 | APP_DISABLED | The application which controls the endpoint the request was sent to is currently disabled. |
2S290/5 | INVALID_CONTROLLER | The endpoint the request was sent to does not exist (the second level does not exist). |
2S291/1 | NO_ENDPOINT | The endpoint the request was sent to does not exist (the URL contains too many levels). |
2S291/3 | NO_PERMISSION | The API key does not have permission to access the requested endpoint. |
3S291/2 | BAD_METHOD | The endpoint the request was sent to does not exist - the HTTP request method may be incorrect (for example, sending a GET rather than a POST). |
3S290/9 | INVALID_ACCESS_TOKEN | The OAuth access token sent in the request is not valid. |
1S290/E | EXPIRED_ACCESS_TOKEN | The OAuth access token sent in the request was valid but has expired. |
3S290/B | NO_SCOPES | The OAuth access token has not been authorised to access any scopes. |
GET / POST documentation for all application scopes will be posted in due course.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.