Skip to main content
The Sign-In public API lets integrations manage three things inside a Sign-In Context without driving the admin UI:
  • Username & Password — user accounts provisioned and rotated by the integration (HR system, PMS, event system).
  • Access Policy — add or remove email patterns that gate self-provisioning, Meeting Host, Conference, or Event Access modules.
  • Whitelisting — allow-list devices by MAC address so they bypass the Captive Portal.
The API is a thin management surface — it does not expose sign-in logs, guest sessions, or admin-only configuration. Use Webhooks to observe sign-in activity.

Authentication

Every request carries a per-Context API key in the x-auth-token header. The key lives on the Context — enable and rotate it under Administration → Configuration → Common Settings in the Sign-In Context admin. The same section lists every endpoint the API exposes and which legacy / V1 paths map to each other.
x-auth-token
string
required
API key for the target Sign-In Context. Rotatable from the admin.
The caller’s source IP must also be listed on the Organization’s Admin Portal network-access whitelist. Calls from IPs outside the whitelist return 403 Forbidden regardless of the API key. Coordinate whitelisting with the Organization admin before integration goes live.

Base URL

Every endpoint is built the same way: 
{apiBaseUrl}/v1/org/{organizationId}/contexts/sign-in/{contextId}/...
The path is fixed across every deployment. The host is not — different Organizations may have different hostnames depending on how the platform was provisioned. There is no single default to assume.

Finding your {apiBaseUrl}

To find the value that applies to your Organization:
  • Check the dashboard instructions on your Organization’s admin home page — they list the API base URL that’s been configured for your deployment.
  • If the dashboard doesn’t show it, ask your Organization admin for the integration base URL.
Use that value wherever these docs show {apiBaseUrl} or $API_BASE_URL in examples.

Path parameters

organizationId
string
required
Organization ID the Sign-In Context belongs to. Visible alongside the base URL in the dashboard instructions.
contextId
string
required
Sign-In Context ID. Visible alongside the base URL in the dashboard instructions.

Content type

All request and response bodies are JSON. Set: 
Content-Type: application/json
Accept: application/json

HTTP status codes

Common across every endpoint:
StatusMeaning
200Success.
204Success, no response body (DELETE).
400Request body failed validation. Body shape is family-specific — see the per-family overview.
401Missing or invalid x-auth-token.
403Source IP is not whitelisted, or the Context / Organization cannot be resolved.
The error body shape depends on which API family you called. Each family’s overview page documents its exact shape alongside its validation rules and prerequisites.

API families

Username & Password

Create, update, and delete username/password users.

Access Policy

Add or remove email patterns that gate email-driven modules.

Whitelisting

Allow-list devices so they bypass the Captive Portal.