REST API
ThingsBoard provides a REST API for managing platform entities, integrations, device provisioning, and building custom applications. The API is available on every ThingsBoard instance and documented interactively via Swagger UI.
All examples on this page use $TB_URL for the ThingsBoard base URL (e.g. https://thingsboard.cloud) and $AUTH for the authorization header value (e.g. ApiKey YOUR_KEY).
Swagger UI
Section titled “Swagger UI”Swagger UI lets you browse all available REST API endpoints, inspect request and response schemas, and test API calls directly in your browser.
Access it at:
http://localhost:8080/swagger-ui.htmlIf you are already logged into the ThingsBoard UI, Swagger UI authenticates automatically using your session.
Authentication
Section titled “Authentication”API key (recommended)
Section titled “API key (recommended)”Pass the API key in the X-Authorization header:
X-Authorization: ApiKey YOUR_API_KEY_VALUEExample request:
curl -X GET -H 'X-Authorization: ApiKey YOUR_API_KEY_VALUE' \ '$TB_URL/api/auth/user'API keys are long-lived, require no login, and can be revoked through the ThingsBoard UI.
JWT token (deprecated)
Section titled “JWT token (deprecated)”Obtain an access token by sending credentials to the login endpoint:
curl -X POST -H 'Content-Type: application/json' \ -d '{"username":"[email protected]", "password":"tenant"}' \ '$TB_URL/api/auth/login'Response:
{"token":"YOUR_JWT_TOKEN", "refreshToken":"YOUR_JWT_REFRESH_TOKEN"}Use the token in subsequent requests:
X-Authorization: Bearer YOUR_JWT_TOKENAccess tokens are valid for 2.5 hours; refresh tokens for 1 week.
REST API clients
Section titled “REST API clients”ThingsBoard provides language-specific client libraries that simplify REST API usage:
- Java REST Client — manage entities from Java applications
- Python REST Client — manage entities from Python scripts
Finding entity IDs
Section titled “Finding entity IDs”Most API calls require an entity ID (UUID). You can find it in the ThingsBoard UI (it appears in the URL when you open an entity), or fetch it via REST.
List devices — returns paginated devices with their IDs:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/tenant/devices?pageSize=10&page=0'Response (abbreviated):
{ "data": [ { "id": {"entityType": "DEVICE", "id": "784f394c-42b6-435a-983c-b7beff2784f9"}, "name": "Thermostat A1", "type": "thermostat" } ], "totalElements": 3}Use the id value (784f394c-...) in the {deviceId} placeholder in all subsequent examples. The same pattern applies to other entity types — use /api/tenant/assets, /api/customers, etc.
Attributes API
Section titled “Attributes API”The Attributes API lets you create, read, and delete attributes on any entity. Attributes are organized into scopes:
| Scope | Description | Writable via REST |
|---|---|---|
SERVER_SCOPE | Set by server-side applications | Yes |
SHARED_SCOPE | Set by server, readable by devices | Yes |
CLIENT_SCOPE | Reported by devices | No (device-only) |
Save attributes
Section titled “Save attributes”Create or update attributes in a given scope. The request body is a JSON object with key-value pairs.
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"firmware":"1.2.3", "batchSize":100}' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/attributes/SERVER_SCOPE'Works for any entity type — replace DEVICE/{deviceId} with ASSET/{assetId}, etc.
Read attributes
Section titled “Read attributes”All scopes — returns attributes from every scope merged together:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/values/attributes'Specific scope with optional key filter:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/values/attributes/SERVER_SCOPE?keys=firmware,batchSize'Response:
[ {"lastUpdateTs": 1709912345000, "key": "firmware", "value": "1.2.3"}, {"lastUpdateTs": 1709912345000, "key": "batchSize", "value": 100}]List attribute keys
Section titled “List attribute keys”# All scopescurl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/keys/attributes'
# Specific scopecurl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/keys/attributes/SERVER_SCOPE'Response: ["firmware", "batchSize"]
Delete attributes
Section titled “Delete attributes”curl -X DELETE -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/SERVER_SCOPE?keys=firmware,batchSize'Time Series API
Section titled “Time Series API”The Time Series API lets you save, query, and delete time series data for any entity.
Save time series
Section titled “Save time series”Simple format — the server assigns the current timestamp:
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"temperature": 22.5, "humidity": 58}' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/timeseries/ANY'With explicit timestamp (milliseconds since epoch):
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"ts": 1709912345000, "values": {"temperature": 22.5, "humidity": 58}}' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/timeseries/ANY'Multiple data points with different timestamps:
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '[ {"ts": 1709912340000, "values": {"temperature": 22.3}}, {"ts": 1709912345000, "values": {"temperature": 22.5}} ]' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/timeseries/ANY'With TTL — data expires after the specified number of seconds:
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"temperature": 22.5}' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/timeseries/ANY/86400'Get latest values
Section titled “Get latest values”Returns the most recent value for each requested key:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/values/timeseries?keys=temperature,humidity'Response:
{ "temperature": [{"ts": 1709912345000, "value": "22.5"}], "humidity": [{"ts": 1709912345000, "value": "58"}]}Get time series range
Section titled “Get time series range”Returns historical data points within a time window. Supports aggregation.
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/values/timeseries?keys=temperature&startTs=1709900000000&endTs=1709999999999&limit=100&agg=NONE&orderBy=ASC'Parameters:
| Parameter | Required | Description |
|---|---|---|
keys | Yes | Comma-separated telemetry key names |
startTs | Yes | Start of time range (ms since epoch) |
endTs | Yes | End of time range (ms since epoch) |
limit | No | Max data points per key (default 100) |
agg | No | Aggregation: NONE, AVG, MIN, MAX, SUM, COUNT |
interval | No | Aggregation interval in ms (required when agg is not NONE) |
orderBy | No | ASC or DESC (default DESC) |
Aggregated example — hourly averages:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/values/timeseries?keys=temperature&startTs=1709900000000&endTs=1709999999999&agg=AVG&interval=3600000'List time series keys
Section titled “List time series keys”curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/keys/timeseries'Response: ["temperature", "humidity", "speed"]
Delete time series
Section titled “Delete time series”curl -X DELETE -H 'X-Authorization: $AUTH' \ '$TB_URL/api/plugins/telemetry/DEVICE/{deviceId}/timeseries/delete?keys=temperature&deleteAllDataForKeys=true'Parameters:
| Parameter | Description |
|---|---|
keys | Comma-separated key names to delete |
deleteAllDataForKeys | true to delete all data; false to use time range |
startTs / endTs | Time range (required when deleteAllDataForKeys=false) |
deleteLatest | true to also delete the latest value (default false) |
rewriteLatestIfDeleted | true to recalculate latest from remaining data |
RPC API
Section titled “RPC API”The RPC API lets server-side applications send commands to devices. The device must be online (or persistent RPC must be used).
One-way RPC
Section titled “One-way RPC”Sends a command without waiting for a response from the device:
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"method": "setGpio", "params": {"pin": 4, "value": 1}}' \ '$TB_URL/api/rpc/oneway/{deviceId}'Returns HTTP 200 with empty body on success.
Two-way RPC
Section titled “Two-way RPC”Sends a command and waits for the device to respond:
curl -X POST -H 'Content-Type: application/json' \ -H 'X-Authorization: $AUTH' \ -d '{"method": "getState", "params": {}}' \ '$TB_URL/api/rpc/twoway/{deviceId}'Returns the device response as JSON. If the device does not respond within the timeout, returns HTTP 504.
Request body:
| Field | Required | Description |
|---|---|---|
method | Yes | RPC method name — the device must handle this method |
params | Yes | Parameters passed to the device (any JSON) |
timeout | No | Timeout in ms (default: 10000) |
persistent | No | true to store the RPC and deliver when the device connects |
retries | No | Number of retries for persistent RPC |
additionalInfo | No | Arbitrary metadata stored with persistent RPC |
Persistent RPC
Section titled “Persistent RPC”When "persistent": true, the platform stores the RPC request and delivers it when the device comes online.
Query persistent RPCs for a device:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/rpc/persistent/device/{deviceId}?pageSize=10&page=0&rpcStatus=QUEUED&sortProperty=createdTime&sortOrder=ASC'Get a specific RPC by ID:
curl -H 'X-Authorization: $AUTH' \ '$TB_URL/api/rpc/persistent/{rpcId}'Delete a persistent RPC:
curl -X DELETE -H 'X-Authorization: $AUTH' \ '$TB_URL/api/rpc/persistent/{rpcId}'API controllers reference
Section titled “API controllers reference”The table below lists all REST API controller groups available in Swagger UI. Each controller groups related endpoints.
Core Entities
Section titled “Core Entities”| Controller | Description |
|---|---|
device-controller | CRUD operations on devices, assign to customers/tenants, search |
asset-controller | CRUD operations on assets, assign to customers, search |
entity-view-controller | Create and manage entity views (filtered projections of devices/assets) |
entity-relation-controller | Create, query, and delete relations between entities |
customer-controller | Create and manage customers, assign sub-entities |
user-controller | Manage users, settings, activation links |
dashboard-controller | CRUD operations on dashboards, assign to customers, import/export |
device-profile-controller | Manage device profiles (transport, alarm rules, provisioning) |
asset-profile-controller | Manage asset profiles |
Telemetry & Attributes
Section titled “Telemetry & Attributes”| Controller | Description |
|---|---|
telemetry-controller | Save/read/delete attributes and time series for any entity |
entity-query-controller | Query entities with filters, pagination, and data aggregation — see Entity Data Query API |
Alarms
Section titled “Alarms”| Controller | Description |
|---|---|
alarm-controller | Create, acknowledge, clear, assign, and query alarms |
alarm-query-controller | Query alarms with entity filters, severity, status, and time range — see Alarm Query API |
alarm-comment-controller | Add, update, and delete comments on alarms |
| Controller | Description |
|---|---|
rpc-v-2-controller | Send one-way/two-way RPC to devices, manage persistent RPCs |
rpc-v-1-controller | Deprecated — use rpc-v-2-controller |
Rule Engine
Section titled “Rule Engine”| Controller | Description |
|---|---|
rule-chain-controller | CRUD for rule chains, import/export, set root chain |
rule-engine-controller | Push messages to the rule engine for a specific entity |
Administration
Section titled “Administration”| Controller | Description |
|---|---|
admin-controller | System settings (mail, SMS, general), updates check |
tenant-controller | Manage tenants |
tenant-profile-controller | Manage tenant profiles (rate limits, quotas) |
auth-controller | Password reset, change password, user activation |
login-endpoint | Login (JWT), token refresh |
queue-controller | Manage processing queues |
queue-stats-controller | View queue statistics |
audit-log-controller | Query audit logs (by user, entity, or tenant) |
usage-info-controller | Get tenant API usage info |
Security
Section titled “Security”| Controller | Description |
|---|---|
api-key-controller | Create, enable/disable, and delete API keys |
two-factor-auth-controller | 2FA verification (send/check codes, login with 2FA) |
two-factor-auth-config-controller | Configure 2FA providers and account settings |
o-auth-2-controller | Manage OAuth2 clients and login settings |
domain-controller | Manage custom domains and OAuth2 client assignments |
secret-controller | Store and manage secrets (passwords, tokens) |
Notifications
Section titled “Notifications”| Controller | Description |
|---|---|
notification-controller | Send notifications, mark as read, get notification feed |
notification-rule-controller | Manage notification rules (triggers) |
notification-target-controller | Manage notification targets (recipients) |
notification-template-controller | Manage notification templates |
Device Connectivity
Section titled “Device Connectivity”| Controller | Description |
|---|---|
device-connectivity-controller | Get connectivity commands and download certificates |
lwm-2m-controller | LwM2M bootstrap security info |
OTA Updates & Resources
Section titled “OTA Updates & Resources”| Controller | Description |
|---|---|
ota-package-controller | Upload and manage firmware/software OTA packages |
tb-resource-controller | Upload and manage platform resources (images, files, LwM2M models) |
image-controller | Upload, update, and serve images |
Widgets & UI
Section titled “Widgets & UI”| Controller | Description |
|---|---|
widgets-bundle-controller | Manage widget bundles |
widget-type-controller | Manage individual widget types |
ui-settings-controller | Get UI configuration (help base URL) |
Version Control & Solutions
Section titled “Version Control & Solutions”| Controller | Description |
|---|---|
entities-version-control-controller | Save/load entity versions, compare, list branches |
solution-controller | Install and manage solution templates |
| Controller | Description |
|---|---|
edge-controller | Manage edge instances, assign entities to edges |
edge-event-controller | Query edge sync events |
Integrations & Converters (PE)
Section titled “Integrations & Converters (PE)”| Controller | Description | PE only |
|---|---|---|
integration-controller | Manage platform integrations | Yes |
converter-controller | Manage uplink/downlink converters | Yes |
converter-library-controller | Browse converter library by vendor/model | Yes |
Groups & Permissions (PE)
Section titled “Groups & Permissions (PE)”| Controller | Description | PE only |
|---|---|---|
entity-group-controller | Create and manage entity groups, share with users | Yes |
group-permission-controller | Manage group-level permissions | Yes |
role-controller | Manage roles (generic, group) | Yes |
Scheduling & Reporting (PE)
Section titled “Scheduling & Reporting (PE)”| Controller | Description | PE only |
|---|---|---|
scheduler-event-controller | Create and manage scheduled events | Yes |
report-controller | Generate and download dashboard reports | Yes |
report-template-controller | Manage report templates | Yes |
dashboard-report-controller | Download dashboard reports (legacy) | Yes |
White Labeling & Custom UI (PE)
Section titled “White Labeling & Custom UI (PE)”| Controller | Description | PE only |
|---|---|---|
white-labeling-controller | Customize branding (logo, colors, login page) | Yes |
custom-menu-controller | Manage custom menu items | Yes |
custom-translation-controller | Manage custom UI translations | Yes |
Calculated Fields
Section titled “Calculated Fields”| Controller | Description |
|---|---|
calculated-field-controller | Create and manage calculated fields, test expressions |
Mobile
Section titled “Mobile”| Controller | Description |
|---|---|
mobile-app-controller | Manage mobile app configurations |
mobile-app-bundle-controller | Manage mobile app bundles |
qr-code-settings-controller | Manage QR code and mobile app settings |
AI (PE)
Section titled “AI (PE)”| Controller | Description | PE only |
|---|---|---|
ai-model-controller | Manage AI model configurations | Yes |
ai-chat-controller | AI chat sessions | Yes |
| Controller | Description |
|---|---|
component-descriptor-controller | Browse available rule node components |
blob-entity-controller | Upload and download binary entities |
event-controller | Query rule engine events (errors, debug, lifecycle) |
owner-controller | Change entity ownership (tenant ↔ customer) |
self-registration-controller | Manage self-registration settings |
See also
Section titled “See also”- Entity Data Query API — advanced entity search with filters, used by
entity-query-controllerand WebSocketENTITY_DATA - Alarm Query API — alarm search with severity, status, and time filters, used by
alarm-query-controllerand WebSocketALARM_DATA - WebSocket API — real-time subscriptions for telemetry, alarms, and notifications
- APIs & SDKs — all available APIs and client libraries