ManageEngine Endpoint Central API

Getting Started - Cloud

ManageEngine Endpoint Central cloud now facilitates easy integration with your existing infrastructure using REST APIs. You can perform various desktop management activities easily from a single console. You can find the list of modules for which APIs are available in the side bar, if you need more APIs you can contact us with your requirement.

This document describes prerequisites for using the API.

Multiple data centres

Endpoint Central cloud is hosted at multiple data centers, and therefore available on different domains. There are 7 different domains for Endpoint central cloud APIs, so you can use the one that is applicable to you.

Data centre
Domain
EndpointCentral_Server_URI
ZohoAccounts_Server_URI
DeveloperConsole

United States
.com
https://endpointcentral.manageengine.com
https://accounts.zoho.com
api-console.zoho.com

Europe
.eu
https://endpointcentral.manageengine.eu
https://accounts.zoho.eu
api-console.zoho.eu

India
.in
https://endpointcentral.manageengine.in
https://accounts.zoho.in
api-console.zoho.in

Australia
.com.au
https://endpointcentral.manageengine.com.au
https://accounts.zoho.com.au
api-console.zoho.com.au

China
.cn
https://endpointcentral.manageengine.cn
https://accounts.zoho.cn
api-console.zoho.cn

Japan
.jp
https://endpointcentral.manageengine.jp
https://accounts.zoho.jp
api-console.zoho.jp

Canada
.ca
https://endpointcentral.manageengine.ca
https://accounts.zohoone.ca
api-console.zohoone.ca

United Kingdom
.uk
https://endpointcentral.manageengine.uk
https://accounts.zoho.uk
api-console.zoho.uk

The APIs on this page are intended for organizations hosted on the .com domain. If your organization is on a different domain, replace ".com" with the appropriate domain for the API endpoints before using them.

Note: You can find out which domain you're accessing by checking the URL while accessing Endpoint Central.

Authentication

Endpoint central REST API supports OAuth 2.0 protocol to authorize and authenticate API calls. Follow the steps listed here to use OAuth 2.0 protocol in Endpoint central APIs.

OAuth Token Generation

The steps to generate an OAuth token are as follows:

1. Generate <Client ID> and <Client Secret>
2. Authorization by generating the <grant token>
3. Generating <Access> and <Refresh Token>
4. Generate <Access Token> from <Refresh Token>

Step 1: Generate Client ID and Client Secret

1. Register your application as a new client by accessing the developer console :
2. Choose <Client Type> that suits your application type.

OAuth 2.0

3. After choosing the client type, provide the required details and click 'Create'.

On successful registration, you will be provided with a set of OAuth 2.0 credentials such as <Client_ID> and <Client_Secret> that will be only known to Zoho and your application. (Do not share this credentials anywhere)

Step 2: Authorization by generating the grant token

After generating <Client_ID> and <Client_Secret>, a grant code has to be generated. Based on the client type the code can be generated in two ways.

i. Self Client Method - For Self Client type.
ii. Redirect Method - For Server-based Applications.

Self Client Method

- After registration, click the <Self Client> method available on the Applications list.
- Enter a valid <scope>. (Refer Scopes for more details.)
- Choose Time Duration.

NOTE: The grant<Code> value generated in this step will be expired after this period. The <Refresh Token>(Step 3) needs to be generated before the code expires.

- Enter <Scope> Description.

Self-client

Click Create to generate < code>

AuthCode style=

Redirect Method (For server based applications)

Make a request to the below URI with the given parameters

https://<ZohoAccounts_Server_URI>/oauth/v2/auth?scope=<SCOPE>&client_id=<CLIENT_ID>&state=testing&response_type=code&redirect_uri=<REDIRECT_URI>&access_type=offline&prompt=consent

Parameter
Description

Scope *
Scope is nothing but a permission to access the specific API for which the token is to be generated. Multiple scopes can be given and they have to be separated by commas.For Example: DesktopCentralCloud.Common.READ,DesktopCentralCloud.SOM.UPDATE

Client_id *
Client ID is obtained during <Client Registration>

State
A generated value that correlates the callback with its associated authorization request.

Response_type*
<code> (provide this literal string as the value)

redirect_uri *
Mention the redirect URI that was used while registering the client in (Step 1).

access_type
The allowed values are offline and online The online <access_type> gives your application an <access_token> which is valid only for one hour. The offline <access_type> will give the application an <access_token> as well as a <refresh_token>. By default the online <access_token> is taken.

prompt
Consent (provide this literal string as the value) Prompts for user consent each time your application tries to access user credentials. If left unspecified, the user will be prompted only the first time your application requests access.

Note: Fields with * are mandatory

Example


https://accounts.zoho.com/oauth/v2/auth?scope=DesktopCentralCloud.Common.READ&client_id=1000.I******************YF&state=54************5&response_type=code&redirect_uri=https://zylkerapps.com/oauth2callback&access_type=offline&prompt=consent

On invoking this request, If you already signed in with Zoho then a user consent page will be shown, If you do not have an active login session with Zoho then you will be redirected to the Zoho login page, and you need to enter your Zoho credentials to login. After authentication the user consent page will be shown.

OAuth 2.0

1. Upon clicking “Accept”, the application gets authorized. The grant <code> is sent as a parameter in the redirect_uri.
2. A back-end script from your end needs to store the following details from the above URL.
code={grant_token} - This is used to generate access and refresh tokens.
location={domain} - This tells you the domain of the user from which you have to make API calls.
accounts-server={accounts_URL} - This is your accounts URL which you have to use to generate refresh and access tokens.

Code

Note: This code is valid for only 60 seconds. Next Step have to be done within this time.

When the user clicks "Reject", the browser redirects to the redirect URI with the parameter error=access_denied, and your application is denied access to the user's data in Endpoint central.

Step 3: Generating Access and Refresh Token

Access Token

A access token is sent to the resource server to access the protected resources of the user. The <Access token> provides secure and temporary access to Endpoint central APIs and is used by the applications to make requests to the connected app. Each <access token> will be valid only for an hour and can be used only for the set of operations that are described in the scope.

Refresh Token

A refresh token is used to obtain new <access tokens>. This token has an unlimited lifetime until it is revoked by the end-user.

After generating Authorization code, a POST request to be made for the following URI with the params given below, to generate <refresh_token> and <access_token>.


METHOD: POST
https://<ZohoAccounts_Server_URI>/oauth/v2/token?code=<CODE>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>&grant_type=authorization_code

Parameter
Description

code*
Authorization code obtained during grant token generation (Step 2).

client_id*
obtained during Client Registration (Step 1)

client_secret*
obtained during Client Registration (Step 1)

redirect_uri*
This param should be same redirect url mentioned while adding Client (Step 1).
This param is not required when self client application type is choosen during Client Registration (Step 1).

grant_type*
authorization_code (provide this literal string as value)

scope
Scope (scope is nothing but a permission to access specific API) for which the token to be generated. Multiple scopes can be given which has to be separated by commas.
Example: DesktopCentralCloud.Common.READ,DesktopCentralCloud.Inventory.READ

state
A generated value that correlates the callback with its associated authorization request.It has to be maintained the same during the entire process for authenticity.

Note: Fields with * are mandatory

EXAMPLE

METHOD: POST


https://accounts.zoho.com/oauth/v2/token?code=1000*********************e95e&client_id=1000.I*****************6YF&client_secret=1b****************96&redirect_uri=https://zylkerapps.com/oauth2callback&grant_type=authorization_code

In response, you will get both <access_token> and <refresh_token>.
1. The <access_token> will expire after an hour.
2. The <refresh_token> is permanent and will be used to regenerate new <access_token>, if the current access token expires.

NOTE: Each time a re-consent page is accepted, a new <refresh token> is generated. The maximum limit is 20 <refresh tokens> per user. If this limit is crossed, the first <refresh token> is automatically deleted to accommodate the latest one. This is done irrespective of whether the first refresh token is in use or not.

Step 4: Generating the access token from refresh token

<access_tokens> have limited validity. It expires in one hour. Once the <access_token> expires, user (or) the app will have to use the <refresh_token> to request for a new <access_token>. Using an expired access token throws the Invalid Oauthtoken error.

You can request for a refresh token to be generated along with the access token. To request for a refresh token, add access_type=offline in the request for generating the grant token. (Refer Step 2).

The <refresh_token> will always be generated by giving the parameter: prompt=consent

Note: Using a <refresh_token> client can create up to ten access tokens in a span of ten minutes. If the limit is reached, the access token creation will be blocked for the rest of the ten minutes.

The following POST URI with the params given below, generates a new <access_token>.


METHOD: POST
https://<ZohoAccounts_Server_URI>/oauth/v2/token?refresh_token=<REFRESH_TOKEN>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>&grant_type=refresh_token

Parameter
Description

refresh_token*
The <refresh_token> obtained during <access_token> generation.(Step 3)

client_id*
<Client_id> obtained during client registration.

client_secret*
<Client_secret> obtained during client registration.

redirect_uri*
This param should be same redirect url mentioned while registering Client (Step 1).
This param is not required when self client application type is choosen during Client Registration (Step 1)

grant_type*
refresh_token (provide this literal string as value)

EXAMPLE

METHOD: POST


https://accounts.zoho.com/oauth/v2/token?refresh_token=1000.1*********************fb8&client_id=1000.I**********************6YF&client_secret=1b******************************96&redirect_uri=https://zylkerapps.com/oauth2callback&grant_type=refresh_token

In response, you will get a new <access_token>

Code

CALLING AN API USING OAUTH AUTHENTICATION

API - URI Structure

All API URI must be structured in the following format.

<EndpointCentral_Server_URI>/api/{Version}/{Entity}/{Operation|Action}

Tags
Optional/Mandatory
Description
Usage

Version
Mandatory
API Version
1.4 ie current API Version

Entity
Mandatory
The module for API
e.g. inventory, som

Operation or Action
Mandatory
Operation or action in the module
e.g. computers, computers/installagents

<access_token> can be passed only in header and cannot be passed in the request param.

Header name = Authorization
Header value> = Zoho-oauthtoken<space><access_token>
Sample: Authorization: Zoho-oauthtoken 1000.abcde12345fgh678.ijk9

Example of calling the SOM Summary API in postman


Request URI: https://endpointcentral.manageengine.com
API URI: api/1.4/som/summary

METHOD: GET

Code

SCOPE

Scope
Description

Scope Of Management (SOM)
DesktopCentralCloud.Common.READ,
DesktopCentralCloud.SOM.READ,
DesktopCentralCloud.SOM.UPDATE

Inventory
DesktopCentralCloud.Inventory.READ,
DesktopCentralCloud.Inventory.UPDATE

Patch
DesktopCentralCloud.PatchMgmt.READ,
DesktopCentralCloud.PatchMgmt.UPDATE