inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-12-20 03:03:30 +00:00
Code Activity
Files
551da5a51f922a73be10b0c3c4378236c70fa653
InvenTree/docs/docs/api/index.md
Matthias Mair 45daef8442 feat: more mail sending backends and plugability (#9608) 
* [FR] Improve Email handeling
Fixes #7950

* extend implementation of email thread and message models

* add missing args

* add unit test

* increase test coverage

* make key not necessary

* do not consider in coverage

* add email apis

* Add email admin

* fix email configuration check

* improve rendering

* squash migrations

* add config value overview

* log if mails were send

* add additional headers

* fix api unit test

* fix url resolving

* add InvenTree specific task to issue mails
required to extend sending options (prio, reply to)

* use internal sending task to keep telemetry cleaner

* add prio handling

* add plugin handling

* add setting

* factor plugin method out

* add typing

* move function

* bump version

* fix import path

* add a test for the test endpoint

* fix checking logic

* Add anymail sending / tracking handling

* add more ordering fields to api

* remove unneeded assingment

* add basic docs

* handle incoming emails with anymail

* Add inbox handling
Closes https://github.com/inventree/InvenTree/issues/7951

* add list of supported ESPs

* add better error transparency when sending fails

* add missing migration

* combine migrations back down

* fix todos

* fix qc export

* fix missing model props

* add tests

* ensure things are passed as a list

* fix list formatting

* fix deps

* move tests

* add testing with anymail

* allow handling of priority and headers

* add test for events

* add test for inbound messages

* rename variable

* increase coverage

* fix format

* add setting doc

* fix link

* rename fnc

* disable pro test

* make messages clearer

* fix doc syntax

* fix assign

* fix test

* revert test disablement

* add enum

* disable check for now

* try changing test around

* add incoming mail processing

* fix import

* add docs

* Fix mail.md

* bump deps

* fix api version
2025-06-20 11:49:02 +10:00

6.0 KiB
Raw Blame History

title
title
InvenTree API

InvenTree API

InvenTree provides a powerful REST API for interacting with inventory data on the server. Low-level data access and manipulation is available, with integrated user authentication and data validation.

!!! info "Django REST Framework" The InvenTree API is based on the powerful and flexible Django REST Framework.

Documentation

The API is self-documenting, and the documentation is provided alongside any InvenTree installation instance. If (for example) you have an InvenTree instance running at http://127.0.0.1:8000 then the API documentation is available at http://127.0.0.1:8000/api-doc/

{{ image("api/api_doc.png", "API documentation") }}

Browseble API

If debug mode is enabled, the API can be browsed directly from the web interface. This provides a simple way to explore the API and test out different endpoints. Simply navigate your web browser to any API endpoint, and the API will be displayed in a human-readable format.

Schema Description

The API schema is also documented in the API Schema page.

Generating Schema File

If you want to generate the API schema file yourself. For example, to use with an external client, use the invoke dev.schema command. Run with the -help command to see available options.

invoke dev.schema -help

Authentication

Users must be authenticated to gain access to the InvenTree API. The API accepts either basic username:password authentication, or token authentication. Token authentication is recommended as it provides much faster API access.

!!! warning "Permissions" API access is restricted based on the permissions assigned to the user or scope of the application.

Basic Auth

Users can authenticate against the API using basic authentication - specifically a valid combination of username and password credentials.

Tokens

Each user is assigned an authentication token which can be used to access the API. This token is persistent for that user (unless invalidated by an administrator) and can be used across multiple sessions.

!!! info "Token Administration" User tokens can be created and/or invalidated via the user settings, Admin Center or admin interface.

Requesting a Token

If a user does not know their access token, it can be requested via the API interface itself, using a basic authentication request.

To obtain a valid token, perform a GET request to /api/user/token/. No data are required, but a valid username / password combination must be supplied in the authentication headers.

!!! info "Credentials" Ensure that a valid username:password combination are supplied as basic authorization headers.

Once a valid token is received from the server, subsequent API requests should be performed using that token.

If the supplied user credentials are validated, the server will respond with:

HTTP_200_OK
{
    token: "usertokendatastring",
}

Using a Token

After reception of a valid authentication token, it can be subsequently used to perform token-based authentication.

The token value sent to the server must be of the format Token <TOKEN-VALUE> (without the < and > characters).

Example: Javascript

var token = "MY-TOKEN-VALUE-HERE";

$.ajax({
  url: "http://localhost:8080/api/part/",
  type: 'GET',
  headers: {"Authorization": `Token ${token}`}
});

Example: Python (Requests)

import requests

token = 'MY-TOKEN-VALUE-HERE'
data = { ... }
headers = {
    'AUTHORIZATION': f'Token {token}'
}
response = request.get('http://localhost:8080/api/part/', data=data, headers=headers)

oAuth2 and OIDC

!!! warning "Experimental" This is an experimental feature that needs to be specifically enabled. See Experimental features for more information.

InvenTree has built-in support for using oAuth2 and OpenID Connect (OIDC) for authentication to the API. This enables using the instance as a very limited identity provider.

A default application using a public client with PKCE enabled ships with each instance. Intended to be used with the python api and configured with very wide scopes this can also be used for quick tests - the cliend_id is zDFnsiRheJIOKNx6aCQ0quBxECg1QBHtVFDPloJ6.

Managing applications

Superusers can register new applications and manage existing ones using a small application under the subpath /o/applications/. It is recommended to:

  • read the spec (RFC 6749 / 6750) and/or best practices (RFC 9700) before choosing client types
  • chose scopes as narrow as possible
  • configure redirection URIs as exact as possible

Scopes

InvenTree's oAuth scopes are strongly related to the user roles. Names consist of 1. type, 2. kind and 3. (opt) role, separated by colons.

There are 3 types:

  • a: administrative scopes - used for administrating the server - these can be staff or superuser scopes
  • g: general scopes - give wide access to the basic building blocks of InvenTree
  • r: role scopes - map to specific actions (2) and roles (3)

Examples:

a:superuser
g:read
r:change:part
r:delete:stock

!!! info "Read the API docs" The API documentation and schema list the required scopes for every API endpoint / interaction in the security sections.

Authorization

User Roles

Users can only perform REST API actions which align with their assigned role permissions. Once a user has authenticated via the API, a list of the available roles can be retrieved from:

/api/user/roles/

For example, when accessing the API from a superuser account:

{{ image("api/api_roles.png", "API superuser roles") }}

Or, when accessing the API from an account which has read-only permissions:

{{ image("api/api_roles_2.png", "API user roles") }}

Permission Denied

If an API action outside of the user's role(s) is attempted, the server will respond with a 403 permission error message.

View Git Blame Copy Permalink