# Endpoint and Authorization

## Endpoint and URL Structure

Each API Call will target the Endpoint:

**`https://api.nexx.cloud/v3.1/`**

{% hint style="info" %}
HTTPS is not necessary, but strongly recommended. The API will return appropriate CORS Headers for XHR/FETCH Calls.
{% endhint %}

As a general Rule, the URL is constructed like the following:

**`https://api.nexx.cloud/v3.1/:domainid/:context/:operation/:parameter`**

{% hint style="info" %}
The **:context** Parameter is related to the API, that is called. If you want to list all Videos of a Domain, **:context** would be "**videos**" and **:operation** would be "**all**" (as Part of the Media API).

If you need Domain Information, **:context** would be "**domain**" and **:operation** would be "**publicinfo**" (as Part of the Management / Domain Data API).

Except the **:parameter** Part of the Path, each URL Part is necessary and cant be skipped.
{% endhint %}

Each Method can be enhanced by Query Parameters and Output Modifiers. Query Parameters influence the Operation and therefore the returned Result Set and Output Modifiers modify the Level of Details of the Response Object.

## Authorization

Each API Call must be signed in order to get processed. Furthermore, every Call must submit a valid Session ID (except the **`/session/init`** Call).

The nexxOMNIA API will be signed via HTTP Headers. Each Call must add the following additional HTTP Headers:

| Header              | Description            |
| ------------------- | ---------------------- |
| **X-Request-CID**   | The Session ID         |
| **X-Request-Token** | The API Call Signature |

{% hint style="info" %}
Although every API Call needs a valid Session ID, it is NOT necessary for Backend Operations to initiate Sessions. For Backend Operations, 3Q nexx offers an "eternal" Session, that should be used (and never be exposed to a Frontend)
{% endhint %}

The API Call Signature is a dynamic String, that has to be constructed before every Call. It is built using well-known Properties like this:

```
Signature = MD5( API-OPERATION + DOMAIN-ID + DOMAIN-SECRET )
```

{% hint style="info" %}
The **API-OPERATION** is explained above - it is the Method of the selected API Endpoint.
{% endhint %}

{% hint style="info" %}
The **DOMAIN-ID** is the ID of the calling Domain.
{% endhint %}

{% hint style="info" %}
The **DOMAIN-SECRET** is a secret Value, given by 3Q nexx. It should NEVER be exposed to a Frontend.
{% endhint %}

For Illustration, lets build an Example:

```php
//calling the following API 
"https://api.nexx.cloud/v3.1/123/videos/byid/9999"

//would need the folloxing Request Token
MD5( "byid" + 123 + SECRET)
```

{% hint style="info" %}
Please notice, that the **:domainid** Part of the API is skipped for Brevity in all later Documentations, as it never changes.
{% endhint %}