Docs navigation

API access

Exovo exposes a small REST API for automation — list extensions, read recent calls, and set a user's status — authorized by API keys you manage under Admin → Integrations → API.

Keys

Create a key with New API key: give it a name and a scope, and the full key is shown once as exovo_…. It's stored only as a hash, so copy it then — you can't see it again. The list shows each key's prefix, scope, when it was created, and when it was last used. Revoke stops a key working immediately.

Two scopes:

  • Read — may call GET endpoints only. A POST/PUT/DELETE with a read key is refused with 403.
  • Read & write — may also make changes.

Authentication

Send the key as a bearer token:

Authorization: Bearer exovo_XXXXXXXXXXXXXXXXXXXXXXXXXXXX

A missing, malformed, unknown, or revoked key gets 401. Every request is scoped to the tenant the key belongs to.

Check a key with the ping endpoint:

curl -H "Authorization: Bearer exovo_XXXX" https://your-server/api/v1/ping
# { "ok": true, "key": "Zapier integration", "scope": "Read", "tenant": "1" }

Endpoints

All paths are under /api/v1.

GET /extensions

Lists extensions (safe fields only — never credentials).

{ "items": [
  { "extension": "205", "name": "Ada Lovelace", "email": "ada@example.com",
    "enabled": true, "presence": "Available" }
] }

GET /calls?limit=N

Recent call detail records, newest first (limit 1–500, default 50).

{ "items": [
  { "id": "…", "start": "2026-07-04T15:02:11Z", "direction": "inbound", "status": "answered",
    "from": { "number": "+13135551234", "name": "ACME" }, "to": { "number": "205", "name": "Ada" },
    "durationSeconds": 92, "talkSeconds": 78, "hasRecording": true }
] }

`POST /extensions/

Sets an extension's status. Requires a read-write key. Body:

{ "presence": "Away" }

Valid values: Available, Away, Out of office, Custom 1, Custom 2.

# With a read-write key — succeeds:
curl -X POST -H "Authorization: Bearer exovo_RW" -H "Content-Type: application/json" \
     -d '{"presence":"Away"}' https://your-server/api/v1/extensions/205/presence

# With a read-only key — refused:
#   HTTP 403  "This API key is read-only."

Auditing

Creating and revoking keys is written to the audit log. Keys never expire on their own — revoke ones you no longer use.