ExtremeXOS® v33.6.1 User Guide

API Architecture

The ExtremeXOS REST API is based on industry-standard HTTP/HTTPS protocols and follows RESTful design principles. API requests use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) to perform operations on switch resources.

The API is accessible through the OpenAPI server, which runs alongside other web-based interfaces on the switch:

OpenAPI server: Provides RESTful API access at /rest/openapi
RESTCONF: Provides RESTCONF protocol access at /rest/restconf
Chalet: Web-based management interface at root path /
Authentication: Token generation endpoint at /auth/token

All services coexist on standard HTTP (port 80) and HTTPS (ports 443, 9443) using URI-based path multiplexing.

Accessing the API

Before using the REST API, you must enable the OpenAPI server. On Universal Platforms, use the following command:

enable openapi

Once enabled, the API is accessible at:

http://<switch-ip>/rest/openapi
https://<switch-ip>/rest/openapi
https://<switch-ip>:9443/rest/openapi

For detailed information about managing the OpenAPI server, including enabling, disabling, restarting, and monitoring server status, see Managing the OpenAPI Server.

Authentication

API requests require authentication using token-based authentication. The authentication workflow consists of two steps:

Obtain an authentication token: Send a POST request to /auth/token with your username and password:

POST http://<switch-ip>/auth/token
Content-Type: application/json

{
  "username": "admin",
  "password": ""
}

The response includes an authentication token and its time-to-live (TTL):

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "ttl": 86400
}

Use the token in subsequent requests: Include the token in the x-auth-token header:

GET http://<switch-ip>/rest/openapi/v0/state/system
x-auth-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

Tokens remain valid for the configured TTL period (default 24 hours). After expiration, you must obtain a new token. For information about configuring token TTL, see Configurable Web Authentication Token Time-to-Live.

Tip

Use HTTPS for all API communication to protect authentication tokens and sensitive data in transit.

API Endpoints and Operations

The REST API provides access to switch resources through structured URIs. Common resource categories include:

Configuration: VLAN, port, routing, and feature configuration
State: Operational status, statistics, and runtime information
Actions: Operational commands like rebooting, saving configuration, or clearing counters

HTTP methods correspond to operations on resources:

GET: Retrieve resource information (configuration or state)
POST: Create new resources or execute actions
PUT: Replace entire resource configuration
PATCH: Modify specific fields within a resource
DELETE: Remove resources

Example operations:

# Get system information
GET /rest/openapi/v0/state/system

# Get VLAN configuration
GET /rest/openapi/v0/config/vlans

# Create a VLAN
POST /rest/openapi/v0/config/vlans
Content-Type: application/json

{
  "name": "finance",
  "tag": 100
}

# Modify port configuration
PATCH /rest/openapi/v0/config/ports/1
Content-Type: application/json

{
  "admin-state": "enabled",
  "description": "Server Connection"
}

API Documentation and Schema

Complete API documentation, including available endpoints, request/response formats, and data models, is available through the OpenAPI schema. Once the OpenAPI server is enabled, access the schema at:

https://<switch-ip>/rest/openapi

The schema provides:

Complete list of available API endpoints
Request and response formats for each endpoint
Data type definitions and validation rules
Example requests and responses
Error codes and troubleshooting information

The schema follows the OpenAPI Specification (formerly Swagger), which is widely supported by API development tools and client libraries.

Request and Response Format

The API uses JSON (JavaScript Object Notation) for request and response bodies. All requests and responses must include appropriate Content-Type headers:

Request headers:

Content-Type: application/json
x-auth-token: <your-token>

Response format:

Successful operations return HTTP status codes in the 200 range along with response data in JSON format. Common success codes include:

200 OK: Successful GET, PUT, or PATCH operation
201 Created: Successful POST operation that created a resource
204 No Content: Successful DELETE operation or action with no return data

Error conditions return HTTP status codes in the 400 or 500 range along with error details:

400 Bad Request: Invalid request format or parameters
401 Unauthorized: Missing or invalid authentication token
404 Not Found: Requested resource does not exist
500 Internal Server Error: Server-side error processing the request

Error responses include descriptive messages to help diagnose issues:

{
  "error": {
    "code": 404,
    "message": "VLAN 'invalid-vlan' not found"
  }
}

Common Use Cases

Network Automation:

Use the REST API with automation tools like Ansible to deploy consistent configurations across multiple switches, perform automated backups, or implement configuration templates.

Custom Monitoring:

Integrate with monitoring platforms to collect switch statistics, port status, or system health metrics. Build custom dashboards or alerting systems based on real-time switch data.

Configuration Management:

Implement configuration management workflows using version control systems. Store switch configurations as JSON, track changes over time, and automate configuration deployment.

Integration with IT Systems:

Integrate switch management with ticketing systems, asset management databases, or enterprise service management platforms. Automate provisioning workflows triggered by external systems.

Custom Applications:

Develop custom applications or scripts using Python, JavaScript, or other languages to interact with switches programmatically. Build specialized tools for your specific operational needs.

Client Libraries and Tools

Several tools and libraries facilitate REST API interaction:

Command-line tools:

curl: Standard command-line HTTP client for testing API endpoints
HTTPie: User-friendly command-line HTTP client with JSON support

Programming language libraries:

Python: requests library for HTTP operations
JavaScript/Node.js: axios or fetch for API calls
Go: net/http package
Java: Apache HttpClient or OkHttp

API development tools:

Postman: Interactive API testing and development environment
Swagger UI: Interactive API documentation and testing interface
Insomnia: REST API client for testing and debugging

Example using curl:

# Get authentication token
curl -X POST http://192.168.1.1/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":""}'

# Use token to get system state
curl -X GET http://192.168.1.1/rest/openapi/v0/state/system \
  -H "x-auth-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Example using Python requests library:

import requests
import json

# Get authentication token
auth_response = requests.post(
    'http://192.168.1.1/auth/token',
    json={'username': 'admin', 'password': ''}
)
token = auth_response.json()['token']

# Get system state
headers = {'x-auth-token': token}
response = requests.get(
    'http://192.168.1.1/rest/openapi/v0/state/system',
    headers=headers
)
system_info = response.json()
print(json.dumps(system_info, indent=2))

Best Practices

Use HTTPS: Always use HTTPS in production environments to protect authentication tokens and sensitive configuration data
Secure token storage: Store authentication tokens securely and never embed them in code repositories or configuration files
Handle token expiration: Implement logic to detect token expiration (401 Unauthorized responses) and automatically obtain new tokens
Implement error handling: Always check HTTP status codes and handle errors gracefully in your applications
Rate limiting awareness: Be mindful of API request rates to avoid overwhelming the switch, especially when polling for status
Use appropriate HTTP methods: Use GET for retrieving data, POST for creating resources, PATCH for updates, and DELETE for removal
Validate responses: Always validate API responses before using the data in your application
Version awareness: Pay attention to API version in the URI path (e.g., v0) as APIs may evolve over time
Test in lab: Test API scripts and applications thoroughly in a lab environment before deploying to production
Monitor API server health: Use show openapi to monitor server status and resource usage

Troubleshooting

Cannot connect to API:

Verify the OpenAPI server is enabled: show openapi
Check network connectivity to the switch
Verify you're using the correct IP address and port
Ensure web server is enabled: show switch management

Authentication failures:

Verify username and password are correct
Check that the token hasn't expired
Ensure the x-auth-token header is included in requests
Verify the token was copied completely without truncation

400 Bad Request errors:

Check JSON syntax in request body
Verify all required fields are included
Ensure data types match schema requirements
Check that URIs are correctly formatted

404 Not Found errors:

Verify the resource exists on the switch
Check URI path for typos
Ensure the API version in the path is correct
Verify resource names exactly match (case-sensitive)

Server errors (500 range):

Check OpenAPI server status: show openapi
Review system logs for errors
Try restarting the OpenAPI server: restart process openapi
Contact support if errors persist

Additional Resources

OpenAPI schema documentation: https://<switch-ip>/rest/openapi
OpenAPI server management: See Managing the OpenAPI Server
Token TTL configuration: See Configurable Web Authentication Token Time-to-Live
OpenAPI Specification: https://www.openapis.org
REST API design principles: Industry-standard REST architectural style documentation