API access
Exovo exposes a small REST API for automation — list extensions, read recent calls, and set a user's status — authorized by API keys you manage under Admin → Integrations → API.
Keys
Create a key with New API key: give it a name and a scope, and the full key is shown once as
exovo_…. It's stored only as a hash, so copy it then — you can't see it again. The list shows each
key's prefix, scope, when it was created, and when it was last used. Revoke stops a key working
immediately.
Two scopes:
- Read — may call
GETendpoints only. APOST/PUT/DELETEwith a read key is refused with 403. - Read & write — may also make changes.
Authentication
Send the key as a bearer token:
Authorization: Bearer exovo_XXXXXXXXXXXXXXXXXXXXXXXXXXXX
A missing, malformed, unknown, or revoked key gets 401. Every request is scoped to the tenant the key belongs to.
Check a key with the ping endpoint:
curl -H "Authorization: Bearer exovo_XXXX" https://your-server/api/v1/ping
# { "ok": true, "key": "Zapier integration", "scope": "Read", "tenant": "1" }
Endpoints
All paths are under /api/v1.
GET /extensions
Lists extensions (safe fields only — never credentials).
{ "items": [
{ "extension": "205", "name": "Ada Lovelace", "email": "ada@example.com",
"enabled": true, "presence": "Available" }
] }
GET /calls?limit=N
Recent call detail records, newest first (limit 1–500, default 50).
{ "items": [
{ "id": "…", "start": "2026-07-04T15:02:11Z", "direction": "inbound", "status": "answered",
"from": { "number": "+13135551234", "name": "ACME" }, "to": { "number": "205", "name": "Ada" },
"durationSeconds": 92, "talkSeconds": 78, "hasRecording": true }
] }
`POST /extensions/
Sets an extension's status. Requires a read-write key. Body:
{ "presence": "Away" }
Valid values: Available, Away, Out of office, Custom 1, Custom 2.
# With a read-write key — succeeds:
curl -X POST -H "Authorization: Bearer exovo_RW" -H "Content-Type: application/json" \
-d '{"presence":"Away"}' https://your-server/api/v1/extensions/205/presence
# With a read-only key — refused:
# HTTP 403 "This API key is read-only."
Auditing
Creating and revoking keys is written to the audit log. Keys never expire on their own — revoke ones you no longer use.