REST implementation

This section describes the aspects common to all REST-based interfaces of Cumulocity. The interfaces are based on the Hypertext Transfer Protocol 1.1 using HTTPS.

HTTP usage


All requests need to be authenticated. There are two ways to do that. First is
to include the HTTP "Authorization" header. The second is OAuth2 authentication code grant. Both are described below.

For the Authorization header method the format is:

Authorization: Basic <<Base64 encoded credentials>>

An example can be found in the Wikipedia entry.

For OAuth authentication the format is:

Authorization: Bearer <<Base64 encoded access token>>

Cumulocity uses the URL in the "Host" header to determine the tenant to authenticate against. Alternatively, you can pass the tenant's ID as part of the "Authorization" header in the following form:

<<tenant ID>>/<<user name>>:<<password>>

Typically, the tenant ID corresponds to the first part of the URL that you are using to access Cumulocity, e.g. if you use "" as URL, the tenant ID will be "mytenant".

Cumulocity supports two factor authentication. If it is enabled, the two factor authentication token is sent in header:


If the token expires and requires renewal, the backend sends a response header:


JWT token authentication

Cumulocity supports JWT token authentication. The HTTP header must include:

Authorization: Bearer <<Base64 encoded JWT token>>

The JWT token must be signed using RSA signature with SHA-256 (RS256). The minimal RSA key size is 512 bit. You can generate an example key here.

You must upload your public key to the tenant options to the "token.publicKey" category.


POST /tenant/options
Host: ...
Authorization: Basic ...
Content-Type: application/;ver=...
Accept: application/;ver=...
    "category": "token.publicKey",
    "key": "myPubKey",
    "value": "..."

The "key" is an identifier of the public key, which will be referenced in the JWT token header, and the "value" is the public key in PEM format.

Now you can generate the JWT token and sign it with th ematching private key. For example you can do it here.

Token format:

  "typ": "JWT",
  "alg": "RS256",
  "kid": "myPubKey"
  "iss": "cumulocity",
  "aud": "myTenant",
  "sub": "username",
  "nbf": 1515678716,
  "exp": 1516629116
  • "kid" is the public key identifier used in tenant options
  • "iss" must be set to "cumulocity"
  • "aud" is the tenant ID
  • "sub" is the user ID
  • "nbf" and "exp" is token validity from/to time range in unix time format

If tenant/username don't match or the token is expired or the signature is invalid then a 401 error will be returned.

OAuth authentication code grant

The login with OAuth requires a correct configuration on the Cumulocity side. With the configuration, an additional button is available on the Login page. After clicking the button, the user is redirected to authenticate with the configured authorization server. On successful login, the user is redirected to Cumulocity.

Authentication details are exchanged using cookies. There are two parts to it, the first is the authentication cookie that is handled automatically by the Cumulocity platform. The second is the XSRF-TOKEN cookie. When a client receives the cookie, it should take the value and put it in the X-XSRF-TOKEN request header in all subsequent requests.

The flow of authenticating with OAuth authentication code grant is as follows:

Authentication flow

The first request executed by the browser is:

POST /tenant/loginOptions
Host: ...
Content-Type: application/;ver=...
Accept: application/;ver=...


    "loginOptions": [
            "buttonName": "Login with oauth",
            "grantType": "AUTHORIZATION_CODE",
            "initRequest": "",
            "self": "",
            "type": "oauth2"
            "self": "",
            "type": "basic"
    "self": ""

Here we have two login options, one with basic and the other with OAuth2. If a user decides to login with OAuth, the browser must invoke the request provided in the initRequest parameter.

The initRequest initiates the redirect, in which the user is prompted for credentials. After successful login, the user is redirected back to the browser, where it must capture the code request parameter. Then the request to exchange the code for the token is as follows:

POST /tenant/oauth?grant_type=authorization_code&code=<<code>>
Host: ...

A successful response will have no body but the following response headers:

Set-Cookie: authorization=<<token>>;
Set-Cookie: XSRF-TOKEN=<<xsrfToken>>;

Application management

Cumulocity uses a so-called "application key" to distinguish requests coming from devices and traffic from applications. If you write an application, pass the following header as part of all requests:

X-Cumulocity-Application-Key: <<application key>>

For example, if you registered your application in the Cumulocity administration application with the key "myapp", pass

X-Cumulocity-Application-Key: myapp

This makes your application subscribable and billable. If you implement a device, do not pass the key.

Make sure that you pass the key in all requests coming from an application. If you leave out the key, the request will be considered a device request and the corresponding device will be marked as "available".

Limited HTTP clients

If you use an HTTP client that can only perform GET and POST methods in HTTP, you can emulate the other methods through an additional "X-HTTP-METHOD" header. Simply issue a POST request and add the header, specifying the actual REST method to be executed. For example, to emulate the "PUT" (modify) method, you can use:

POST ...

Processing mode

Every update request (PUT, POST, DELETE) executes with a so-called processing mode. The default processing mode is PERSISTENT, which means that all updates will be send both to the Cumulocity database and to real-time processing. The TRANSIENT processing mode will only send updates to real-time processing. As part of real-time processing, the user can decide case by case through scripts whether updates should be stored to the database or not. The QUIESCENT processing mode will behave like PERSISTENT processing mode with an exception that no real-time notifications will be sent. Currently, the QUIESCENT processing mode is applicable for measurements and events only. The CEP processing mode will behave like TRANSIENT processing mode with an exception that no real-time notifications will be sent. Currently, the CEP processing mode is applicable for measurements and events only.

To explicitly control the processing mode of an update request, an "X-Cumulocity-Processing-Mode" header can be used with a value of either "PERSISTENT", "TRANSIENT", "QUIESCENT" or "CEP":

X-Cumulocity-Processing-Mode: TRANSIENT


All requests issued to Cumulocity are subject to authorization. To determine the required permissions, see the "Required role" entries in the reference documentation for the individual requests. To learn more about the different permissions and the concept of ownership in Cumulocity, see "Managing permissions and ownership" in the Section "Security aspects".

Media types

Each type of data is associated with an own media type. The general format of media types is


Each media type contains a parameter "ver" indicating the version of the type. At the time of writing, the latest version is "0.9". The complete media type names are given in the respective sections of the reference guide. As an example, the media type for an error message in the current version is


Media types are used in HTTP "Content-Type" and "Accept" headers. If you specify an "Accept" header in a POST or PUT request, the response will contain the newly created or updated object. If you do not specify the header, the response body will be empty.

If a media type without "ver" parameter is given, the oldest available version will be returned by the server. If the accept header contains the same media type in multiple versions the server will return a representation in the latest supported version.

Date format

Data exchanged with Cumulocity in HTTP requests and responses is encoded in JSON format and UTF-8 character encoding. Timestamps and dates are accepted and emitted by Cumulocity in ISO 8601 format:

Time: hh:mm:ss±hh:mm
Timestamp: YYYY-MM-DDThh:mm:ss±hh:mm

To avoid ambiguity, all times and timestamps must include timezone information. Please take into account that the plus character "+" must be encoded as "%2B".

Error reporting

In error cases, Cumulocity returns standard HTTP response codes as described in RFC2616. A Client should not only be able to handle individual codes but classes of codes as well (e.g., 4xx). The response body can contain more information about the error, see the error media type definition below. General error interpretations are:

Code Name Description
400 Bad Request The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
401 Unauthorized Authentication has failed, or credentials were required but not provided.
403 Forbidden You are not authorized to access the API.
404 Not Found Resource not found at given location.
405 Method not allowed The employed HTTP method cannot be used on this resource (e.g., using "POST" on a read-only resource).
409 Update Conflict Conflict on resource update, entity was changed in the meantime.
409 Duplicate The entity already exists in the data source.
413 Execution timeout, operation will be abandoned Query had been running too long and was timed out.
422 Invalid Data General error with entity data format.
422 Non Unique Result Resource constraints error. Non-unique result from the query.
422 Unprocessable entity Resource cannot be processed.
500 Internal Server Error An internal error in the software system has occurred and the request could not be processed.
503 Service Unavailable The service is currently not available. This may be caused by an overloaded instance or it is down for maintenance. Please try it again in a few minutes.

REST usage

Interpretation of HTTP verbs

The semantics described in the HTTP specification are used:

  • POST creates a new resource. In the response "Location" header, the URI of the newly created resource is returned.
  • GET retrieves a resource.
  • PUT updates an existing resource with the contents of the request.
  • DELETE removes a resource. The response will be "204 No Content".

If a PUT request only contains parts of a resource, so called "fragments", only those parts are updated. To remove a fragment, use a PUT request with a null value for the fragment. PUT cannot update sub-resources that are identified by a separate URI.

URI space and URI templates

Clients should not make assumptions on the layout of URIs used in requests, but construct URIs from previously returned URIs or URI templates. The root interface provides the entry point for clients, see below.

URI templates contain placeholders in curly braces, which need to be filled by the client to produce a URI. As an example, see the following excerpt from the event API response:

HTTP/1.1 200 OK
Content-Type: application/;...
Content-Length: ...

  "events" : { "self" : "http://..." },
  "eventsForSourceAndType" : "http://...?type={type}&source={source}"

The client would need to fill the "type" and "source" placeholders with the desired type and source devices of the events to be returned. The meaning of these placeholders is documented in the respective interface descriptions in the reference guide.

Interface structure

In general, Cumulocity REST resources are modelled according to the following pattern:

  • The starting point are API resources, which will provide access to the actual data through URIs and URI templates to collection resources. For example, the above event API resource provides the "events" URI and the "eventsForSourceAndType" URI to access collections of events.
  • Collection resources aggregate member resources and allow creating new member resources in the collection. For example, through the "events" collection resource, new events can be created.
  • Finally, individual resources can be edited.

Query result paging

Collection resources support paging of data to avoid passing huge data volumes in one block from client to server. GET requests to collections accept two query parameters: "pageSize" indicates how many entries of the collection should be returned. By default, 5 entries are returned. The upper limit for one page is currently 2,000 documents, any larger requested page size is trimmed to the upper limit. "currentPage" defines the slice of data to be returned, starting with "1". By default, the first page is returned.

For convenience, collection resources provide a "next" and "prev" links to retrieve the next resp. the previous page of the results. This is an example response for managed object collections:

  "self" : "...",
  "managedObjects" : [
  "statistics" : {
    "totalPages" : 7,
    "pageSize" : 5,
    "currentPage" : 2
  "prev" : "http://...?pageSize=5&Page=1",
  "next" : "http://...?pageSize=5&Page=3"

Please note that the totalPages property can be expensive to compute, hence it is not returned by default for range queries. To include totalPages in the result, add the query parameter "withTotalPages=true".

Query result paging for users with restricted access

If a user does not have a global role for reading data from the API resource but rather has inventory roles for reading only particular documents there are some differences in query result paging:

  • In some circumstances the response may contain less than pageSize elements though there is more data in the database accessible for the user.

  • In some circumstances "next" and "prev" links may appear in the response though there is no more data in the database accessible for the user.

  • The property "currentPage" of the response does not contain the page number but the offset of the next element not yet processed by the querying mechanism.

  • The query parameter "withTotalPages=true" has no effect and value of "totalPages" property is always null.

The above behavior results from the fact that the querying mechanism is iterating maximally over 10 * max(pageSize, 100) documents per request and stops though the full page of data accessible for the user could not be collected. When the next page is requested the querying mechanism starts the iteration where it finished the previous time.

Root interface

To discover the URIs to the various interfaces of Cumulocity, a "root" interface is provided. This root interface aggregates all the underlying API resources and is available through http://<<yourURL>>". For more information on the different API resources, please consult the respective API sections of this reference guide.

Platform [application/]

Name Type Occurs Description
self URI 1 Link to this Resource
inventory InventoryAPI 1 See inventory interface.
identity IdentityAPI 1 See identity interface.
event EventAPI 1 See event interface.
measurement MeasurementAPI 1 See measurement interface.
audit AuditAPI 1 See auditing interface.
alarm AlarmAPI 1 See alarm interface.
user UserAPI 1 See user interface.
deviceControl DeviceControlAPI 1 See device control interface.

GET the Platform resource

Response body: application/

Example response:

HTTP/1.1 200 OK
Content-Type: application/;...
Content-Length: ...

  "self" : "<<URL to the platform API resource>>",
  "event" : {
    "self" : "<<URL to the event API resource>>",
    "events" : { "self" : "<<URL to event collection resource>>" },
    "eventsForSourceAndType" : "<<URL to event collection resource>>?type={type}&source={source}"
  "inventory" : {

Generic media types

Error [application/]

The error type provides further information on the reason of a failed request.

Name Type Occurs Description
error String 1 Error type formatted as "<<resource type>>/<<error name>>". For example, an object not found in the inventory is reported as "inventory/notFound".
message String 1 Short text description of the error
info URL 1 URL to an error description on the Internet.
details Error details 1 Error details. Only available in DEBUG mode.

Error details are provided in the following structure:

Name Type Occurs Description
expectionClass String 1 Class name of an exception that caused this error.
exceptionMessage String 1 Exception message content.
expectionStackTrace String 1 Strack trace of the exception.
- - - Further diagnostic information depending on error type.

PagingStatistics [application/]

Paging statistics for collection resources are provided in the following format:

Name Type Occurs Description
totalRecords Integer 1 The approximate total number of records.
pageSize Integer 1 Maximum number of records contained in this query.
currentPage Integer 1 The current returned page within the full result set, starting at "1".