openapi: 3.0.3 info: title: XUI.ONE Admin API description: | # XUI.ONE Admin API Documentation Comprehensive API documentation for XUI.ONE IPTV Panel Administration. ## Overview The XUI.ONE Admin API provides programmatic access to manage your IPTV platform. With over 180+ endpoints, you can: - Manage subscriptions (Lines, MAG devices, Enigma2 devices) - Control streams, channels, movies, and series - Monitor connections and logs - Configure servers and load balancers - Administer users and resellers ## Base URL Structure All API requests follow this pattern: ``` http://YOUR_SERVER:PORT//?api_key=&action=ACTION_NAME ``` **Components:** - `YOUR_SERVER` - Your XUI.ONE server IP or domain - `PORT` - API port (default: 80 for HTTP, 8000 for HTTP explicit, 9000 for HTTPS) - `` - Unique access code for API access - `` - Your generated API key - `ACTION_NAME` - The API action to perform ## Authentication XUI.ONE API uses **API Key authentication** combined with **Access Codes** for secure access. ### Prerequisites Before using the API, you need: 1. ✅ XUI.ONE panel installed and running 2. ✅ Admin account with appropriate permissions 3. ✅ Admin API access code created 4. ✅ API key generated ### Step 1: Create Admin API Access Code 1. Log into your XUI.ONE admin panel 2. Navigate to **Management → Access Control → Access Codes** 3. Click **Add Access Code** 4. Select **Access Type: Admin API** 5. Assign to **Administrators** group 6. (Optional) Restrict to specific IP address for security 7. Save the access code (e.g., `cSbuFLhp`) ### Step 2: Generate API Key 1. Log into admin panel 2. Click your profile (top right) 3. Select **Edit Profile** 4. Click the blue **Generate API Key** button 5. Copy and save your API key (e.g., `8D3135D30437F86EAE2FA4A2A8345000`) ⚠️ **Security Warning:** Keep your API key secure. If compromised, regenerate immediately. ### Step 3: Test Authentication Test your credentials with a simple API call: ```bash curl "http://your-server.com/cSbuFLhp/?api_key=8D3135D30437F86EAE2FA4A2A8345000&action=user_info" ``` Successful response: ```json { "status": "STATUS_SUCCESS", "data": { "username": "admin", "member_group_id": "1", ... } } ``` ## Request Methods The API supports both **GET** and **POST** methods: ### GET Requests Pass parameters in the URL query string: ``` http://your-server.com/cSbuFLhp/?api_key=8D3135D30437F86EAE2FA4A2A8345000&action=get_lines&limit=10 ``` ### POST Requests Send parameters as form data or JSON in request body: ```bash curl -X POST "http://your-server.com/cSbuFLhp/?api_key=8D3135D30437F86EAE2FA4A2A8345000&action=create_line" \ -d "username=testuser" \ -d "password=testpass" \ -d "max_connections=1" ``` ## Response Format All API responses return JSON with a consistent structure: ### Success Response ```json { "status": "STATUS_SUCCESS", "data": { // Response data here } } ``` ### Error Response ```json { "status": "STATUS_FAILURE", "error": "Error message description" } ``` ## Common Error Messages | Error Message | Cause | Solution | |--------------|-------|----------| | `Invalid API key` | Wrong or expired API key | Regenerate API key in admin profile | | `Access denied` | Invalid access code | Verify access code is correct | | `Missing required parameters` | Required field not provided | Check API documentation for required fields | | `Invalid action` | Action name is incorrect | Verify action name spelling | | `Permission denied` | Insufficient privileges | Ensure API access code is assigned to Administrators group | ## Rate Limiting XUI.ONE implements rate limiting to prevent abuse: - Default: No strict rate limit - Recommended: Max 100 requests per minute per IP - Heavy operations (database queries): Use sparingly If you experience rate limiting, implement exponential backoff in your application. ## Security Best Practices 1. 🔒 **Use HTTPS** - Always use port 9000 with SSL enabled in production 2. 🔐 **IP Whitelisting** - Restrict API access to specific IPs 3. 🔑 **Rotate Keys** - Regenerate API keys periodically 4. 📝 **Audit Logs** - Monitor API usage via activity logs 5. 🚫 **Never Expose Keys** - Don't commit API keys to version control 6. 🛡️ **HMAC Authentication** - Use HMAC for enhanced security (advanced) ## HMAC Authentication (Advanced) For enhanced security, XUI.ONE supports HMAC-based authentication: 1. Generate HMAC key: `action=create_hmac` 2. Sign each request with HMAC-SHA256 3. Include signature in request header See detailed HMAC documentation for implementation details. ## Getting Help - 📖 Documentation: https://github.com/worldofiptvcom/xui-one-api-docs - 💬 Community: World of IPTV Forums (https://www.worldofiptv.com) - 🐛 Issues: Report bugs via GitHub Issues - 📧 Support: Contact XUI.ONE support team ## API Version Current API Version: **v1.5.13** Compatible with XUI.ONE versions 1.5.5+ version: 1.5.13 contact: name: XUI.ONE API Support url: https://xui.one license: name: Proprietary url: https://xui.one servers: - url: http://{server}:{port}/{accessCode} description: XUI.ONE API Server (HTTP) variables: server: default: your-server.com description: Your XUI.ONE server IP or domain port: default: '80' description: API port enum: - '80' - '8000' accessCode: default: cSbuFLhp description: Your unique access code for API access - url: https://{server}:9000/{accessCode} description: XUI.ONE API Server (HTTPS - Recommended) variables: server: default: your-server.com description: Your XUI.ONE server IP or domain accessCode: default: cSbuFLhp description: Your unique access code for API access security: - ApiKeyAuth: [] tags: - name: Authentication description: Authentication and authorization operations - name: GET INFO description: Query and retrieve information - name: Logs & Events description: Activity logs, connections, and monitoring - name: Line API description: Subscription line management - name: User API description: User account management - name: MAG API description: MAG device management - name: Enigma API description: Enigma2 STB management - name: Streams API description: Live stream management - name: Channel API description: Channel management - name: Station API description: Radio station management - name: Movie API description: VOD movie management - name: Series API description: Series management - name: Episode API description: Episode management - name: Servers API description: Server and load balancer management - name: Settings & System description: System settings and administrative functions paths: /: get: summary: API Base Endpoint description: | Base endpoint for all API requests. All actions are performed by adding the `action` parameter. **Usage:** ``` /?api_key=&action=ACTION_NAME¶m1=value1¶m2=value2 ``` operationId: apiBase tags: - Authentication parameters: - $ref: '#/components/parameters/ApiKey' - $ref: '#/components/parameters/Action' responses: '200': description: Successful response content: application/json: schema: oneOf: - $ref: '#/components/schemas/SuccessResponse' - $ref: '#/components/schemas/ErrorResponse' '401': $ref: '#/components/responses/Unauthorized' '500': $ref: '#/components/responses/ServerError' /?action=user_info: get: summary: Get Current User Info description: | Retrieves information about the currently authenticated admin user. **Use Case:** Verify authentication and check admin privileges. **Example Request:** ```bash curl "http://your-server.com/cSbuFLhp/?api_key=8D3135D30437F86EAE2FA4A2A8345000&action=user_info" ``` **Example Response:** ```json { "status": "STATUS_SUCCESS", "data": { "id": "1", "username": "admin", "member_group_id": "1", "email": "admin@example.com", "date_registered": "1609459200", "last_login": "1734048000", "status": "1" } } ``` operationId: getUserInfo tags: - Authentication parameters: - $ref: '#/components/parameters/ApiKey' - name: action in: query required: true schema: type: string enum: [user_info] example: user_info responses: '200': description: Current user information content: application/json: schema: allOf: - $ref: '#/components/schemas/SuccessResponse' - type: object properties: data: $ref: '#/components/schemas/UserInfo' example: status: "STATUS_SUCCESS" data: id: "1" username: "admin" member_group_id: "1" email: "admin@example.com" date_registered: "1609459200" last_login: "1734048000" status: "1" '401': $ref: '#/components/responses/Unauthorized' components: securitySchemes: ApiKeyAuth: type: apiKey in: query name: api_key description: | API key for authentication. Generate from your admin profile in the XUI.ONE panel. **Example:** `8D3135D30437F86EAE2FA4A2A8345000` parameters: ApiKey: name: api_key in: query required: true description: Your API key for authentication schema: type: string example: "8D3135D30437F86EAE2FA4A2A8345000" Action: name: action in: query required: true description: The API action to perform schema: type: string example: user_info schemas: SuccessResponse: type: object required: - status - data properties: status: type: string enum: [STATUS_SUCCESS] description: Response status indicator data: type: object description: Response data (structure varies by endpoint) example: status: "STATUS_SUCCESS" data: {} ErrorResponse: type: object required: - status - error properties: status: type: string enum: [STATUS_FAILURE] description: Error status indicator error: type: string description: Error message describing what went wrong example: status: "STATUS_FAILURE" error: "Invalid API key" UserInfo: type: object properties: id: type: string description: User ID example: "1" username: type: string description: Username example: "admin" member_group_id: type: string description: Member group ID (1 = Administrator) example: "1" email: type: string format: email description: User email address example: "admin@example.com" date_registered: type: string description: Unix timestamp of registration date example: "1609459200" last_login: type: string description: Unix timestamp of last login example: "1734048000" status: type: string description: User status (1 = Active, 0 = Inactive) enum: ["0", "1"] example: "1" responses: Unauthorized: description: Authentication failed - Invalid API key or access code content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: status: "STATUS_FAILURE" error: "Invalid API key" ServerError: description: Internal server error content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: status: "STATUS_FAILURE" error: "Internal server error" NotFound: description: Resource not found content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: status: "STATUS_FAILURE" error: "Resource not found"