Was ist eine API-Schnittstelle in Skava?

Ein Formular, dessen ausgefüllte Werte Skava als JSON an eine von dir hinterlegte https://-Adresse (dein Backend) sendet — praktisch, um Skava mit eigenen Systemen zu verbinden.

Wer darf API-Schnittstellen anlegen und auslösen?

Anlegen und Bearbeiten ist Firmen-Admins vorbehalten. Eine freigegebene Schnittstelle können anschließend alle Mitglieder der Firma auslösen.

Was ist der Unterschied zwischen „Ping“ und „Test-Request“?

Ping prüft nur, ob die Adresse erreichbar ist — ohne Token und ohne Daten. Test-Request sendet Beispieldaten inklusive Token und zeigt die vollständige Antwort.

Ist mein API-Token sicher?

Ja. Der Token wird verschlüsselt gespeichert und nie an Clients ausgeliefert. Die App zeigt nur, ob ein Token gesetzt ist und wann er abläuft.

Welche Adressen sind als Endpunkt erlaubt?

Nur öffentlich erreichbare https://-Adressen. Interne Ziele wie localhost, private Netze oder Cloud-Metadaten werden abgelehnt — das schützt vor Missbrauch der Schnittstelle.

Warum kann ich eine freigegebene Schnittstelle nicht mehr ändern?

Freigegebene Schnittstellen sind bewusst unveränderlich — so kann nach der Freigabe niemand mehr Zieladresse oder Token austauschen. Für Änderungen legst du eine neue Version an.

Custom Elements: API

An API interface is a form whose filled values Skava sends as JSON to an address you specify (your backend). This way you can connect Skava securely with your own systems.

You manage API interfaces in the Webapp under Custom Elements → toggle API Interfaces. Creating and editing is reserved for company admins; released interfaces can then be triggered by all members of the company.

Set up an API interface

An interface consists of input fields (they form the JSON), the target address, and authentication.

Create fields: Each field gets a JSON key. On the right you see live the JSON preview, which is sent to your backend exactly this way.
Address (URL): the https:// address of your backend. Only HTTPS and publicly accessible addresses are allowed (see Security below).
Method: POST (default), PUT, PATCH, or GET. With GET the values are appended as query parameters instead of being sent in the body.
Authentication: Set the header name (e.g. Authorization) and value prefix (e.g. Bearer ), then save the token. Optionally set an expiration date.
Response fields (optional): Define by path which values from the backend response should be displayed — e.g. order.id or items[0].sku.
Check with Ping and Test Request, then Release.

Store token securely

The token is stored encrypted and never returned to clients — the app only shows whether a token is set and when it expires. When sending, Skava appends it server-side to the configured header. If you set an expiration date, Skava refuses the call after expiration and asks you to renew the token.

Testing: Ping and Test Request

Ping — a light reachability check. It only checks whether your address responds, and does not send token or form data in the process. Shows reachability, status, and response time. Ideal as a first step.
Test Request — the real trial run: sends sample data including token to your address and shows you the complete response as well as the extracted response fields.

As an admin, you can run both while still in draft mode to verify the integration before release.

Draft and Release

Each interface starts as a draft and can be freely edited. Once everything is ready, you release it with Release.

Released interfaces are immutable. This is intentional: so that after release no one can secretly swap the target address or token. If you want to change something, create a new version.

Security

To prevent the interface from being misused, strict rules apply: only HTTPS addresses are allowed, and the address must point to a public target address — internal addresses (e.g. localhost, private networks, or cloud metadata) are rejected. Skava checks this on every call, connects exactly to the verified address, follows no redirects, and limits timeout and response size.

Do you instead want to build a fillable document template? See Custom Elements: Documents.

Frequently Asked Questions

What is an API interface in Skava?

A form whose filled values Skava sends as JSON to an address you specify (your backend) — handy for connecting Skava with your own systems.

Who is allowed to create and trigger API interfaces?

Creating and editing is reserved for company admins. A released interface can then be triggered by all members of the company.

What is the difference between "Ping" and "Test Request"?

Ping only checks whether the address is reachable — without token and without data. Test Request sends sample data including token and shows the complete response.

Is my API token secure?

Yes. The token is stored encrypted and never delivered to clients. The app only shows whether a token is set and when it expires.

Which addresses are allowed as endpoints?

Only publicly accessible https:// addresses. Internal targets like localhost, private networks, or cloud metadata are rejected — this protects against misuse of the interface.

Why can I no longer change a released interface?

Released interfaces are intentionally immutable — so that after release no one can swap the target address or token. For changes, you create a new version.