API Overview
SIP.IO is driven by a set of HTTP services. As a developer you’ll mostly use the public /v1 REST API; the platform also runs an edge control plane, a realtime service, and a management console behind the scenes.
The services
Section titled “The services”| Service | Host | What it’s for |
|---|---|---|
| Public API | api.sip.io/v1 | The versioned REST API you build against: accounts, calls/CDR, agents, queues, numbers, DNC, campaigns, webhooks. Public API (v1). |
| Realtime | realtime.sip.io | The live supervisor wallboard UI and its WebSocket feed. |
| Console | console.sip.io | Management surface + console login (email/password → session token). |
| Edge control plane | the node host | The endpoints the SIP edge calls to run calls (/route, /flow, /auth, /agent, …). Control-Plane API. |
The services share one account, auth, and data model. They’re separate deployments of one platform, not separate products.
Authentication
Section titled “Authentication”Two credential types, both presented in a header (see Authentication):
- API keys:
x-api-key: sk_…, for machine-to-machine. Scoped per key. - Session tokens:
Authorization: Bearer <jwt>, issued by console login, for user sessions.
Every request is authorized against per-resource scopes (calls/cdr, agents, queues, numbers, dnc, campaign, webhooks, …; * grants all).
Base URL & formats
Section titled “Base URL & formats”The public API is https://api.sip.io. Requests and responses are JSON; the edge control plane also accepts form-encoded bodies (the SIP nodes’ default). An OpenAPI 3.0 spec is served at GET /v1/openapi.json, so you can generate a typed client in any language.
Webhooks
Section titled “Webhooks”Subscribe to events (call.started, call.ended) and SIP.IO POSTs them to your URL, HMAC-SHA256 signed. See Webhooks.
The resource model
Section titled “The resource model”The configuration objects you create and edit (accounts, numbers, queues, schedules, trunks) are defined by the data model. The /v1 API reads and writes these; the Resource Reference lists their fields.
Conventions you’ll see
Section titled “Conventions you’ll see”- Route target: the
dest_kind/dest_id/dest_xformtrio that says “send the call here.” See Numbers & Extensions. - Secret references: fields ending in
_secret_refhold a key into the encrypted store, never a plaintext secret. - IDs are prefixed, time-ordered opaque strings (
q_…,us_…,sk_…); time is epoch, money is micro-units.
Continue to Authentication.