📘 FlexyKey REST API – Developer Integration Guide

Welcome to the FlexyKey REST API.
This API allows third-party developers to integrate booking systems, access control systems, and automation platforms with FlexyKey and Evva AirKey units.

The API provides:

• Unit information and IO discovery
• Unit control (F1/F2 and X1–X64)
• Full IO status monitoring
• Webhook-based status notifications
• Booking management
• Unit logs
• And more depending on the unit type

This document explains how to authenticate, how to call the endpoints, and how to interpret responses.

📑 Contents

• 1. Authentication & Access Control
• 2. Base URL
• 3. Data Format
• 4. IO Model & Unit Structure
  • 4.1 Recommended Integration Approach
• 5. Unit Information
  • 5.1 List all units
  • 5.2 Get one unit
• 6. Control API
  • 6.1 Control Output
  • 6.2 Get IO Status
• 7. Unit Information Requests
  • 7.1 GET /RequestUnitInfoTypes
  • 7.2 POST /RequestUnitInfo
  • 7.3 GET /UnitMessages
• 8. ID Entries
  • 8.1 GET /UnitIdEntries
  • 8.2 POST /UnitIdEntries
  • 8.3 PUT /UnitIdEntries/{id}
  • 8.4 DELETE /UnitIdEntries/{id}
• 9. Unit Settings
  • 9.1 GET /UnitSettings/Definitions
  • 9.2 GET /UnitSettings
  • 9.3 PUT /UnitSettings
• 10. Unit Sync
  • 10.1 POST /UnitSync/PushChanges
  • 10.2 GET /UnitSync/Status
  • 10.3 POST /UnitSync/Abort
• 11. Tools
  • 11.1 POST /Tools/IdEntriesSyncState
  • 11.2 POST /Tools/UnitSettingsSyncState
  • 11.3 POST /Tools/AllUnitDataSyncState
• 12. Webhooks
  • 12.1 Webhook event payload
  • 12.2 GET /Webhooks/Events
  • 12.3 PUT /Webhooks
  • 12.4 GET /Webhooks
  • 12.5 DELETE /Webhooks
  • 12.6 POST /Webhooks/Test
  • 12.7 How to test webhooks
  • 12.8 Recommended client behavior
• 13. Logs
• 14. Booking API
• 15. Best Practices
• 16. Support

🔐 1. Authentication & Access Control

The FlexyKey API uses HTTP Basic Authentication.
Your FlexyWeb username and password (API-enabled user) must be sent via the Authorization header:

Swagger and tools like Postman handle this automatically.

Access Requirement
All API calls are executed in the context of the authenticated user.
To use any API function (units, control, status, webhooks, bookings, logs), the user must belong to the same company that owns the target unit or booking object.
If a user does not have rights, the API returns an access error.

🌐 2. Base URL

Production
https://api.flexykey.se/v1/

Swagger documentation
https://api.flexykey.se/v1/swagger

⚙️ 3. Data Format

• JSON
• UTF-8 encoding
• ISO 8601 timestamps, always in UTC for machine-readable timestamp fields

Example:

🔑 4. IO Model & Unit Structure

FlexyKey uses a consistent IO model across the API.

• F1, F2 – main unit relays
• X1–X64 – expansion relays
• IN1–INx – main inputs
• IX1–IX64 – expansion inputs

These identifiers are used 1:1 across the API:

• Unit API (GET /Units)
• Control API (POST /Control)
• Status API (GET /Control)
• Webhook payloads

This means that IO returned from GET /Units can be used directly for:

• Control commands
• Status interpretation
• Webhook processing

Use globalNumber when referring to IO in integrations.

Examples:

• F1 and F2 are the two relays on the main unit
• X1 may be relay 1 on expansion module 1
• X5 may be relay 1 on expansion module 2
• IX1 may be input 1 on expansion module 1

The Unit API returns both:

• localNumber – physical/local position on that board or expansion
• globalNumber – API-wide identifier used in Control and Status

For example:

Here:

• localNumber = 1 means it is relay 1 on that specific expansion module
• globalNumber = X5 means this is the identifier your integration uses in the API

🧠 4.1 Recommended Integration Approach

1. Call GET /Units to discover the available IO structure for the unit
2. Store or map the globalNumber values you need
3. Use those values in POST /Control
4. Monitor state through GET /Control or webhooks

Always use globalNumber when interacting with IO.
Use localNumber only for display or mapping to physical terminals and labels.

Do not assume that all units have expansion modules. Some units only expose main relays and main inputs, while others may include WEXP or other expansion types.

📦 5. Unit Information

The Unit API allows applications to:

• Retrieve unit metadata
• Discover available relays and inputs
• See connected expansion modules
• Discover configured sensors
• Discover available counters and their default mapping
• Map local IO positions to API-wide identifiers

This endpoint should normally be the first step in an integration, because it tells you which IO names are valid for each unit.

The Unit API may also include sensors and counters collections. These are metadata/discovery structures and should be used to understand which sensors and counters are available for a unit, how they are identified, and how values should be interpreted.

5.1 Example — List all units

GET

Response example

Units without expansion modules will have an empty expansions array.

Different expansion types may expose different capabilities. For example, a WEXP module may contain relays and inputs, while another module type may contain no IO at all.

The Unit API may also include sensors and counters collections. These are metadata/discovery structures and should be used to understand which sensors and counters are available for a unit, how they are identified, and how values should be interpreted.

5.2 Example — Get information about one specific unit

GET

The response structure is the same as in the list endpoint, but for one unit only.

🔧 6. Control API

The Control API allows developers to:

• Control relays (F1, F2) on the main unit
• Control up to 64 extended outputs (X1–X64)
• Send ON / OFF / pulse commands
• Retrieve full IO status (inputs and outputs)
• Reference units by unitId or serialNumber

🚀 6.1 Control Output

POST /Control
Send a control command to a FlexyKey unit.

URL:

Request body (JSON)
Specify either unitId or serialNumber.
outputNumber can be F1, F2 or X1–X64.
outputAction can be ON, OFF or a pulse value in seconds, 1–99999 (only number, no unit).

Example 1 — Control F1 ON

Example 2 — Pulse X33 for 60 seconds

Response:

📡 6.2 Get IO Status

GET /Control
Retrieve the current IO state of a unit.

By unitId:

By serial:

Response example:

The status response uses the same global IO identifiers as the Unit API.

7. Unit Information Requests

Some unit information is retrieved by sending approved CHECK commands to the physical unit. These commands perform a roundtrip through the unit communication path and the database. The API therefore does not wait for the unit response.

Recommended flow:

1. Call GET /RequestUnitInfoTypes to discover approved command types and profiles
2. Call POST /RequestUnitInfo to queue one command or one pre-built profile
3. Read the result later using GET /UnitMessages or the relevant status endpoint, for example GET /Control

All endpoints use the same Basic Authentication and company/unit access control as the rest of the API.

7.1 GET /RequestUnitInfoTypes

GET /v1/RequestUnitInfoTypes
Returns the public command catalog: approved individual commands and pre-built profiles. Only commands that are visible and enabled in the catalog are returned.

URL:

Example response:

Current public command types:

• CHECKASTAT - input and output status, older compatibility format
• CHECKSTATUS - FKV2 input and output status
• CHECKCOUNTERS - input counters
• CHECKTEMP - current temperature response
• CHECKSYS - system information
• CHECKTIME - unit time and uptime information
• CHECKEXP - expansion unit information; may return several response messages
• CHECKCALSTAT - calendar status
• CHECKSALOFFICEMODE - Sallis lock office mode status
• CHECKOUTPUTCAL - calendars connected to outputs/locks
• CHECKINPUTCAL - calendars connected to inputs
• CHECKESPNOWMAC - ESP-NOW MAC address information
• CHECKWEXP - WEXP unit information

Current public profiles:

• controlStatusFull - CHECKASTAT, CHECKCOUNTERS, CHECKTEMP, CHECKSYS
• controlStatusMedium - CHECKASTAT, CHECKCOUNTERS, CHECKTEMP

7.2 POST /RequestUnitInfo

POST /v1/RequestUnitInfo
Queues one approved command or one approved profile for a unit. Use either unitId or serialNumber, and either typeName or profile.

The endpoint is asynchronous. A successful response means the command was accepted for queuing, not that the unit has already answered.

Request body - one command:

Request body - profile:

Example response:

Commands and profiles have configurable cache and rate limits to protect the unit communication path. If a command is skipped because of cache or rate limiting, the command result status indicates that instead of queuing a new command.

7.3 GET /UnitMessages

GET /v1/UnitMessages
Returns latest approved incoming unit information messages for a unit. Leave typeName empty to return all approved response types, or set typeName to filter by a specific command.

Only responses matching visible and enabled commands in the public command catalog are returned. Outgoing commands, internal log messages and unsupported raw device reports are not returned.

Default behavior is latest 20 rows, newest first. Maximum limit is 100.

Examples:

Example response:

The timestamp field reflects the database timestamp in Swedish/local database time. Use timestampIso for machine storage, comparison and integration logic.

8. ID Entries

ID entries are the unit access list: phone numbers, PIN codes or tag numbers that can be synchronized to a unit. Use these endpoints to read, create, update or mark entries for deletion on the server.

A changed ID entry is not sent to the physical unit immediately. After changing entries, call POST /UnitSync/PushChanges to push the pending changes to the unit. Use GET /UnitSync/Status afterwards to follow progress, for example in a progress bar.

Important field rules:

• unitId is required for all operations
• idNumber max length is 20 characters
• name and description max length is 25 characters
• action must be a valid relay/action value, for example R1, R2 or a valid access group such as G13
• codeTag must be 4-7 digits when used
• codeTagCalendar may only be set when codeTag contains a valid PIN
• validFromIso and validToIso use ISO 8601, for example 2026-04-22T14:00:00+02:00 or 2026-04-22T12:00:00Z

8.1 GET /UnitIdEntries

GET /v1/UnitIdEntries
Returns ID entries for a unit. Supports paging and search.

Search matches idNumber, name, description and action. Partial text is accepted. Leave search empty to return all ID entries for the unit.

limit controls page size. offset is the number of rows to skip. Example: first page offset=0, second page offset=limit.

8.2 POST /UnitIdEntries

POST /v1/UnitIdEntries
Creates one ID entry for a unit. Duplicate idNumber values on the same unit return 409 Conflict.

8.3 PUT /UnitIdEntries/{id}

PUT /v1/UnitIdEntries/{id}
Updates one ID entry. The unitId in the body must match the existing row. Changes to idNumber, action, codeTag, codeTagCalendar, validFromIso or validToIso mark the entry as changed for sync. Changes to name or description do not mark the entry as changed, because those fields are not sent to the unit.

8.4 DELETE /UnitIdEntries/{id}

DELETE /v1/UnitIdEntries/{id}
Marks one ID entry for deletion on the server. The deletion is sent to the physical unit by calling POST /UnitSync/PushChanges.

9. Unit Settings

Unit settings are approved customer-facing settings that can be read and updated on the server. Only settings approved by the public catalog are visible through this API.

A changed setting is not sent to the physical unit immediately. After changing settings, call POST /UnitSync/PushChanges to push pending changes to the unit.

Current public settings include:

• DefaultRelayPulse
• WifiMode
• WifiName
• WifiPassword

9.1 GET /UnitSettings/Definitions

GET /v1/UnitSettings/Definitions
Returns the approved public settings and their input rules.

Example response:

9.2 GET /UnitSettings

GET /v1/UnitSettings
Returns the approved settings rows that currently exist for the selected unit.

Example response:

9.3 PUT /UnitSettings

PUT /v1/UnitSettings
Creates or updates one approved setting for the selected unit. The body format is one setting at a time.

Examples:

If a setting is not approved by the public catalog, the API returns 400 Bad Request. After a successful update, call POST /UnitSync/PushChanges to send pending changes to the unit.

10. Unit Sync

Unit Sync sends changed customer data from the server to the physical unit.

Recommended flow:

1. Create, update or mark ID entries for deletion using /UnitIdEntries, and update settings using /UnitSettings
2. Call POST /UnitSync/PushChanges
3. Poll GET /UnitSync/Status until the sync is completed, failed or timed out
4. If needed, call POST /UnitSync/Abort to stop the active sync and clean pending packets

10.1 POST /UnitSync/PushChanges

POST /v1/UnitSync/PushChanges
Packages changed customer data and queues communication packets to the unit. The endpoint returns immediately and does not wait for the unit to answer.

Example response:

10.2 GET /UnitSync/Status

GET /v1/UnitSync/Status
Returns the current sync status for a unit. Status responses have a short cache guard, normally 2 seconds.

If there is no active sync, the API returns a normal response with message No active unit programming.

10.3 POST /UnitSync/Abort

POST /v1/UnitSync/Abort
Aborts the active unit sync for the unit and clears pending programming packets. Use this when a sync has failed, timed out or must be restarted.

11. Tools

Tools are server-side maintenance endpoints. They do not communicate with the physical unit. Use them only when you intentionally need to adjust what the server considers synchronized or changed.

11.1 POST /Tools/IdEntriesSyncState

POST /v1/Tools/IdEntriesSyncState
Changes the server-side unit sync state for ID entries on one unit. Send id if you want to affect one row. Leave id out if you want to affect all ID entries for the selected unit.

11.2 POST /Tools/UnitSettingsSyncState

POST /v1/Tools/UnitSettingsSyncState
Changes the server-side unit sync state for approved public settings on one unit. Send setting plus params if you want to affect one approved setting. Leave them out if you want to affect all approved settings for the selected unit.

11.3 POST /Tools/AllUnitDataSyncState

POST /v1/Tools/AllUnitDataSyncState
Macro endpoint that changes the server-side unit sync state for both ID entries and settings on one unit. This endpoint only needs unitId and unitSyncState.

12. Webhooks

The Webhooks API allows your system to receive HTTP callbacks when a unit reports a status update.

Currently supported event:

• control.statusChanged

Important
The event control.statusChanged is triggered when an ASTAT status message is received from the unit.
To receive updates on IO changes, the FlexyKey unit must be configured to report IO changes.

Important
Webhooks require secure communication to be enabled on the FlexyKey unit.
This may or may not be the default setting depending on the unit version and may need to be enabled manually.

A webhook is configured per unitId and event type.

The webhook payload for control.statusChanged uses the same JSON object structure as:

This means you can use the same parsing logic for:

• Polling via GET /v1/Control
• Push updates via webhook callbacks

12.1 Webhook event payload

When the event control.statusChanged is sent, the payload matches the Control status response and may contain:

• unitId
• serialNumber
• statusTimestamp
• statusTimestampIso
• rawStatus
• inputs
• fOutputs
• xOutputs
• xInputsStatusTimestamp
• xInputsStatusTimestampIso
• rawXInputsStatus
• xInputs
• isCached

Example webhook payload

If a unit has no expansion inputs, or if no X-input status is available, the X-input fields may be empty or null:

12.2 GET /Webhooks/Events

GET /v1/Webhooks/Events
Returns the currently supported webhook event types.

Example request

Example response

12.3 PUT /Webhooks

PUT /v1/Webhooks
Creates or updates a webhook configuration for a specific unitId and event.

This endpoint uses an upsert model:

• If no webhook exists for the unit and event, a new webhook is created
• If a webhook already exists, it is updated

Request body fields

• unitId – required
• event – required
• callbackUrl – required, absolute HTTP/HTTPS URL
• httpMethod – optional, POST, PUT or PATCH
• secret – optional, used for HMAC signature
• apiKey – optional, sent as X-Api-Key
• isActive – optional, 1 or 0

Example request

Example response (created)

Notes

• Use isActive=0 to temporarily disable a webhook without deleting it
• The user must have access rights to the unit
• The event name must be one of the values returned by GET /v1/Webhooks/Events

12.4 GET /Webhooks

GET /v1/Webhooks
Returns webhook configuration for a unit.

Required query parameter

• unitId

Optional query parameter

• event – if provided, returns only the webhook for this event

Example – get all webhooks for a unit

Example – get one webhook

Example response

12.5 DELETE /Webhooks

DELETE /v1/Webhooks
Deletes a webhook for a specific unitId and event.

Required query parameters

• unitId
• event

Example request

Response
Returns 204 No Content if the webhook was deleted.

12.6 POST /Webhooks/Test

POST /v1/Webhooks/Test
Sends a direct HTTP test call to the configured webhook endpoint for the specified unit and event.

This is useful for:

• Verifying that the callback URL is reachable
• Verifying that your endpoint accepts the webhook
• Checking headers, signature and body format

Request body

Example request

Example response

Important
The test call sends the same payload structure as GET /v1/Control / status webhook payload.

12.7 How to test webhooks

Recommended test flow

1. Create a temporary endpoint using a request inspection service such as webhook.site, or use your own HTTPS endpoint
2. Create or update the webhook using PUT /v1/Webhooks
3. Verify the configuration using GET /v1/Webhooks
4. Trigger a test delivery using POST /v1/Webhooks/Test
5. Inspect the received JSON body and verify that your application can parse it
6. Finally, trigger a real unit status change and verify that production webhook delivery works as expected

Example test using webhook.site

1. Open https://webhook.site and copy the generated URL
2. Use that URL as callbackUrl in PUT /v1/Webhooks
3. Call POST /v1/Webhooks/Test
4. Check that the request appears on the webhook.site page

Headers sent with webhook requests

• X-Event – event name, for example control.statusChanged
• X-UnitId – unit ID
• X-Webhook-Test: 1 – present on test deliveries
• X-Api-Key – present if configured
• X-Signature – present if a secret is configured

Signature
If a webhook secret is configured, the payload is signed and sent in:

The HMAC is calculated over the raw JSON request body using the configured secret.

12.8 Recommended client behavior

• Respond with HTTP 2xx as quickly as possible
• Parse the payload using the same model as GET /v1/Control
• Use statusTimestampIso and xInputsStatusTimestampIso for storage and ordering
• Do not assume that xInputs is always present; units without expansion inputs may return empty X-input fields
• Use webhook delivery for real-time updates and use GET /v1/Control only when polling is necessary

13. Logs

FlexyKey logs are available via API for:

• Access events
• System messages
• SMS events
• Communication logs

(Evva logs are not available.)

Example — Retrieve logs for a unit

GET

Response example

14. Booking API

The Booking API allows applications to:

• Create bookings
• Delete bookings
• Query bookings
• Assign phone, keypad code, or RFID credentials (depending on unit type)

Example — Create a booking

Successful responses include a unique bookingId.

15. Best Practices

• Always check HTTP status codes
• Use the ISO timestamps (statusTimestampIso, xInputsStatusTimestampIso) for storage and ordering
• Use GET /Units to discover and cache unit metadata such as IO, sensors and counters; do not call it before every Control or Status command
• Always use globalNumber values such as F1, X33 or IX2 in your integration logic
• Use webhook delivery for real-time updates whenever possible
• Use GET /Control when polling is necessary
• Use POST /RequestUnitInfo to request approved CHECK information from the unit, then read the later response using GET /UnitMessages or the relevant status endpoint
• Do not repeatedly request full unit information profiles; they have longer cache and rate limits because they use the unit communication path
• After changing ID entries, use POST /UnitSync/PushChanges and poll GET /UnitSync/Status until the sync is completed
• Use /Tools endpoints only for server-side maintenance, for example when replacing a unit or resending entries
• If polling is necessary: do not poll status too frequently (recommended 5–10 seconds)
• If polling is necessary: do not poll status too long; in most cases 2–5 status requests after a control command are sufficient.
• Do not assume that X-inputs are always present
• Pulse commands (“60”) return to OFF when expired
• Treat X-outputs case-insensitively (“x33” = “X33”)
• Always use HTTPS

16. Support

FlexAccess AB
https://flexaccess.se
support@flexaccess.se

Please provide:

• Your API username
• Unit serial number
• Example request + response
• Approximate timestamp (UTC)