Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

An API (Application Programming Interface) is how other systems talk to Iru Endpoint with structured requests and responses instead of only the Web App. The Iru Endpoint Management API reference documents each call: what to send, what you get back, parameters, and examples for scripts and integrations. This article focuses on API tokens in Access: creating credentials, choosing permissions, reviewing activity, and revoking access when you are done. After you create a token, you use it with the reference to work with devices, apps, Library items, Blueprints, tenant activity, device actions, Library uploads, and Automated Device Enrollment (ADE) tokens for your organization. For guides that show how the API is used in practice, see Related articles.

Generate an API Token

Iru Endpoint uses tenant-level bearer tokens to control access to the API. To generate one:
1

Open Access

Click your name at the bottom of the left navigation, then select Access.
Screenshot of the account menu with Access option highlighted
2

Open the API tokens tab

In Access, click the API tokens tab.
3

Note your organization's API URL

On the API tokens page, look for Your organization’s API URL. The line shows your tenant hostname in this form (your value will differ):Your organization’s API URL is: accuhive.api.kandji.ioMake a note of this hostname. You use it with the Iru Endpoint API and your bearer token.
4

Create new API token

Click Add Token to create a new API token.
Access API tokens with organization API URL and Add Token
5

Configure token details

Provide a Name and a Description for your API token.
6

Create the token

Click Create.
Create API token prompt with Name, Description, and Create
7

Copy and store token

Iru Endpoint will display a modal with the API token. Click the visibility symbol to expose it or use the Copy Token button to copy the API token to your clipboard, storing it in a safe place.
You will not be able to see the token details again.
8

Continue to next step

Click Next.
Copy your API token dialog with visibility toggle and Copy Token
9

Configure permissions

Click Configure to manage the API permissions for this specific token or Skip to change them later.
Copy API token dialog with Next and option to manage permissions
10

Choose API permissions

Check or uncheck the box next to each permission you want to change. If you check or uncheck the box at the top of a section (for example Blueprints Management), every permission in that section is checked or unchecked together.
11

Save configuration

After making your modifications, click Save.

Edit token

1

View token details

On the API tokens page, click a token name, or click the vertical ellipsis and then View, to open that token and its permissions.
API token detail view after opening a token from the list
2

Edit permissions

Click Edit to change the token’s API permissions. If none are assigned yet, you can use Configure Permissions instead. Edit works whether the token already has permissions or not.
Edit API token permissions in Access
3

Choose API permissions

Check or uncheck the box next to each permission you want to change. If you check or uncheck the box at the top of a section (for example Blueprints Management), every permission in that section is checked or unchecked together.
4

Save permission changes

Click Save.

View Activity

1

View token details

On the API tokens page, click a token name, or click the vertical ellipsis and then View, to open that token and its permissions.
API token detail view after opening a token from the list
2

Open the Activity tab

Click the Activity tab. The timeline lists lifecycle events and API usage.
3

Expand an activity entry

In the timeline, click a row to expand it and read its fields.
Collapsed row
  • Chevron, event icon, title, actor (admin display name or a dash when there is no administrator), short date (M/D/YY).
Expanded detail
  • Expanded rows show full timestamps (M/D/YY, h:mm:ss AM or PM) for time fields, plus the event-specific fields in each accordion below.
Summary: Key icon, Token created, creator display name, short date (M/D/YY).Expanded
  • Created by: same display name as the summary row.
  • Created at: when the token was created.
Summary: Icon, Token name changed, editor display name, short date (M/D/YY).Expanded
  • Same administrator by / at layout as Token created and Token permissions edited: who renamed the token and when.
Summary: Padlock icon, Token permissions edited, editor display name, short date (M/D/YY).Expanded
  • Edited by and Edited at (who saved the change and when).
  • Permissions enabled: one METHOD /path per line for permissions turned on in that save (for example GET /blueprint-routing, PATCH /blueprint-routing).
  • Permissions disabled: same format for permissions turned off (for example GET /devices-list).
  • One save can list routes under both sections. If nothing was turned on or off in that save, the matching section has no lines.
Summary: Eye icon, Token accessed, dash in the actor column (no admin; the client used the token), short date (M/D/YY).Expanded
  • Accessed by: the caller’s public IPv4 address.
  • Accessed at: when the token was used.
  • Endpoints accessed: one or more lines, each METHOD /path (for example GET /devices-list).

Revoke a Token

Revoking a token removes all Activity recorded for that token. That history cannot be recovered.
If you will no longer use the token but want to keep its Activity history, use Edit token instead: open the token, click Edit, remove all API permissions, and click Save.
1

Start revocation

On the API tokens page, click the vertical ellipsis next to the token you want to revoke, then click Revoke. Or open the token, click Edit, then Revoke at the bottom left.
API tokens list with Revoke option for a token
2

Enter the token name

Enter the token name exactly as it appears in the prompt.
3

Confirm revocation

Click Revoke to confirm.
After you revoke a token, you will no longer see it in the list of API tokens for your tenant, and Activity for that token is no longer accessible.

Best practices

One token per integration

Create a unique API token for each integration or use case so you can rotate or revoke one connection without affecting others.

Clear names and descriptions

Use clear, descriptive Name and Description values in the Iru Endpoint Web App so tokens are easy to recognize on the API tokens page in Access.

Considerations

If you remove an administrator from the Iru Endpoint Web App, API tokens they created stay in place and keep working until they are revoked. Deleting the user does not automatically revoke those tokens. Open Access, go to API tokens, and Revoke (or rotate by creating a new token and revoking the old one) if you need to stop access.Anyone with permission to use the Access page can manage every API token in the tenant: edit Permissions, rename the token, review Activity, and revoke it. You do not need to be the user who originally created the token.The secret (the string you use as a bearer token) is shown only once, when the token is first created. After that, other administrators can still administer the token in Access, but they cannot see that secret again unless the creator shared it with them at creation time (for example in a password manager or secure message). Anyone with Access can still revoke the token or narrow its permissions if the secret might have been exposed.
The Iru Endpoint Management API currently has an API rate limit of 10,000 requests per hour per customer, documented in the introduction of the Iru Endpoint Management API documentation.When Iru Compliance collects evidence through the Iru Endpoint Compliance source, it calls the Management API with your API token. Those requests count toward the same hourly limit for your tenant.

Troubleshooting

The Iru Endpoint Management API enforces 10,000 requests per hour per customer (see Considerations and the Iru Endpoint Management API documentation). All API tokens in your tenant share that same limit. There is no separate rate limit per token.When a request is blocked for exceeding the limit, the response body includes:
{
  "message": "API rate limit exceeded"
}
To see whether a specific integration or script is driving volume, open Access, select each token, and review Activity for that token (View Activity). Expanding Token accessed entries shows which endpoints were called so you can throttle or fix the client, rotate credentials, or adjust automation as needed.
If the token does not have the API permissions required for the endpoint you are calling, you may receive a response like:
{
  "detail": "You do not have permission to perform this action."
}
In Access, open the token, select Edit, and enable the permissions that match the routes your integration uses (Edit token).

Iru Endpoint Management API reference

Browse endpoints, parameters, and request and response examples.

Integrating Third-Party Apps Using the Iru Endpoint API

Connect third-party products and map the API permissions each one needs.

How to Set Up the Iru Endpoint API in Postman

Import the published collection and send authenticated requests.

Iru Endpoint (Compliance source)

How Iru Compliance uses your token on the Management API for evidence.

Configuring the In-House App Library Item

Publish and update in-house apps using the API and the Web App.

Prism Data Analytics

Query and export fleet data with Prism’s API-first analytics workflows.

Renew, update, or delete ADE tokens using the Iru Endpoint API

Renew, update, or delete ADE tokens using an API token from Access.

Configure multiple ADE tokens using the Iru Endpoint API

Connect multiple Apple Business or Apple School Manager accounts or organizational units to Iru Endpoint.

Authorize Your Kandji Tenant for Okta Workflows

Connect Okta Workflows to Iru Endpoint with an API token and device permissions.

Amazon S3 Activity Log Integration

Deliver tenant activity logs to Amazon S3 and review logged event types in the API documentation.