xui.one-docs

Admin API & HMAC

🔐 XUI.ONE Admin API & HMAC Authentication Guide

This guide provides an in-depth overview of the XUI.ONE Admin API, including available endpoints, HMAC authentication mechanisms, and configuration procedures.

📌 Enabling the Admin API in XUI.ONE

To utilize the Admin API:

Access the Admin Panel: Navigate to Management > Access Control > Access Codes.
Create an Access Code:
- Set the Access Type to Admin API.
- Assign it to the Administrators group.
- Optionally, restrict access by specifying an IP address.
Generate API Key: In your admin profile, generate a unique API key

Your API endpoint will resemble

http://yourdomain.com:8000/accesscode/?api_key=YOUR_API_KEY
https://yourdomain.com:9000/accesscode/?api_key=YOUR_API_KEY

To execute API actions, append the action parameter:

https://yourdomain.com:9000/accesscode/?api_key=YOUR_API_KEY&action=desired_action

🧰 Available API Endpoints

🔍 Information Retrieval

get_users
get_lines
get_streams
get_channels
get_movies
get_series_list
get_episodes
user_info
mysql_query

📄 Logs & Events

activity_logs
live_connections
credit_logs
client_logs
user_logs
stream_errors
watch_output
system_logs
login_logs
restream_logs
mag_events

👤 User Management

get_user
create_user
edit_user
delete_user
disable_user
enable_user

📶 Line Management

get_line
create_line
edit_line
delete_line
disable_line
enable_line
ban_line
unban_line

📺 MAG & Enigma Devices

get_mag / get_enigma
create_mag / create_enigma
edit_mag / edit_enigma
delete_mag / delete_enigma
disable_mag / disable_enigma
enable_mag / enable_enigma
ban_mag / ban_enigma
unban_mag / unban_enigma
convert_mag / convert_enigma

🌐 Access Codes

get_access_codes
get_access_code
create_access_code
edit_access_code
delete_access_code

📚 Bouquets

get_bouquets
get_bouquet
create_bouquet
edit_bouquet
delete_bouquet

📆 EPG Management

get_epgs
get_epg
create_epg
edit_epg
delete_epg
reload_epg

🔐 HMAC Keys

get_hmacs
get_hmac
create_hmac
edit_hmac
delete_hmac

🔐 Implementing HMAC Authentication

HMAC (Hash-based Message Authentication Code) enhances API security by ensuring message integrity and authenticity.

🛠️ Configuration Steps

Generate HMAC Key:
- Use the create_hmac API endpoint to generate a new HMAC key.
- Store the key and secret securely.
Client-Side Signature Generation:
- Concatenate the request method, URI, and timestamp.
- Use the secret to generate an HMAC SHA-256 signature of the concatenated string.
- Include the following headers in your request:

X-API-KEY: your_api_key
X-Signature: generated_hmac_signature
X-Timestamp: current_timestamp

Server-Side Verification:
- Upon receiving the request, the server uses the stored secret associated with the provided X-API-KEY to generate its own HMAC signature.
- If the generated signature matches the X-Signature header, the request is authenticated.

This mechanism ensures that requests are from trusted sources and have not been tampered with during transmission.

🧪 Example: Fetching User Information

To retrieve user details using the Admin API:

GET https://yourdomain.com:9000/accesscode/?api_key=YOUR_API_KEY&action=get_user&id=USER_ID

Replace YOUR_API_KEY with your actual API key and USER_ID with the ID of the user you wish to retrieve.

⚠️ Important Considerations

Security: Always use HTTPS to encrypt API communications.
Key Management: Rotate your HMAC keys periodically and revoke any compromised keys immediately.
Access Control: Restrict API access to specific IP addresses when possible.
Logging: Monitor API usage logs to detect any unauthorized access attempts.

By following this guide, you can effectively utilize the XUI.ONE Admin API and implement HMAC authentication to secure your IPTV services.