Before You Begin — Kiteworks REST API Prerequisites
Before making your first Kiteworks REST API call, you need a licensed Kiteworks instance, a registered custom application, and familiarity with REST, OAuth 2.0, JSON, and HTTP. This guide walks you through each requirement.
Prerequisites
The Kiteworks REST API builds on a set of widely-used web standards. You should be familiar with the following concepts before working with the API:
Representational State Transfer architectural style and its constraints — resources, statelessness, and uniform interfaces.
The OAuth 2.0 authorization framework, including grant types, access tokens, and token scopes.
JavaScript Object Notation — the format used for all API request and response bodies.
HTTP methods (GET, POST, PUT, DELETE), status codes, and request/response headers.
Multipart MIME request structure, used when uploading files alongside metadata in a single API call.
Licensing Requirements
The REST API is available on every Kiteworks Enterprise package that has the Developer Suite add-on enabled. You must confirm your license before attempting to register a custom application or call any API endpoint.
Check your license status
-
Open the Kiteworks Admin consoleSign in as an administrator and navigate to Application Setup → Licenses.
-
Locate the API entryIn the Features section, find the row labelled API.
-
Confirm the statusIf the status reads Enabled, your instance is licensed and ready to use. If it reads Disabled or the row is absent, contact your Kiteworks account team to enable the Developer Suite on your license.
403 Forbidden. Confirm your license
status before registering a custom application or configuring OAuth credentials.
Create a Custom Application
Every integration with the Kiteworks API requires a custom application — a registered entity that represents your product or script. The application record stores the OAuth credentials, permitted scopes, redirect URIs, and token lifetimes that Kiteworks uses to identify and authorize your requests.
You can create multiple custom applications to represent different integrations or workflows — for example, one application for a user-facing web app and another for an automated on-boarding script.
Register a new application
-
Open the API Applications pageIn the Kiteworks Admin console, go to Application Setup → Apps and Plugins → API, then click Create Custom Application.
-
Enter the application detailsProvide a Name and optional Description that clearly identify your integration. These are visible only to administrators.
-
Select an authorization flowChoose the OAuth grant type that matches your integration:
Flow Use when… Authorization Code Your application acts on behalf of a signed-in Kiteworks user (web apps, native apps). JWT Your application needs to impersonate Kiteworks users in a secure server-side environment. Do not use for public clients. JWT requires additional setup. If you select the JWT flow, you must also configure an RSA public key, issuer, audience, and subject attribute on this application — and generate a matching private key on your server. The Authorization Code flow does not require this. See JWT Bearer Flow — Application setup for the full list of required fields and a step-by-step key generation command. -
Configure token and redirect settingsSet the remaining fields:
- Enable refresh token — allow access tokens to be refreshed without re-authenticating the user.
- Redirect URI — the URL Kiteworks sends the user to after authorization. Must exactly match what your application expects. Supports
https://, custom schemes (e.g.myapp://), and the%%HOST%%placeholder for the current Kiteworks hostname. - Access token lifetime — how long an access token remains valid.
- Refresh token lifetime — how long a refresh token can be used (only shown when refresh tokens are enabled).
-
Configure access controlUnder Access Control, choose who can use this application. Toggle Allow All Users on to permit every Kiteworks user, or leave it off and enter specific email addresses in Allowed Users. Similarly, toggle Allow All IPs on to accept requests from anywhere, or specify individual IP addresses or CIDR ranges in Allowed IPs.
-
Select API scopesChoose only the scopes your integration requires. Scopes define exactly which API endpoints and actions your application can perform. Consult your administrator for available scopes.
-
Save and copy your credentialsClick Add Application. Kiteworks displays the Client Application ID and Client Secret Key — copy all three to a secure location immediately. They are shown only once.
Test your application
Once created, you can test your application's credentials against the interactive API explorer at:
https:///rest/index.html
Frequently Asked Questions
Do I need a special license to use the Kiteworks REST API?
Yes. API access must be enabled for your Kiteworks instance. You can confirm this in the Admin console under Application Setup › Licenses. If the API option is not present or disabled, contact your Kiteworks account team.
What technical knowledge do I need before using the Kiteworks API?
You should be comfortable with REST principles (HTTP verbs, status codes, and URL structures), OAuth 2.0 authorization flows, JSON request and response bodies, and multipart MIME for file uploads. No specialized Kiteworks knowledge is required before starting.
Do I need to create a custom application in Kiteworks?
Yes. Every API integration requires a registered custom application in your Kiteworks Admin console. The application provides the client ID, client secret, redirect URI, and OAuth scopes that your code needs to obtain an access token.
Where can I find the Kiteworks API reference documentation?
The interactive API reference is available at https:// on your Kiteworks instance. You can also browse the API Reference in this developer portal for a full listing of all endpoints.
Can I register multiple custom applications for the same Kiteworks instance?
Yes. You can register multiple custom applications on a single Kiteworks instance — for example, one for each integration or environment (development, staging, production). Each application gets its own client credentials and scope configuration.
Next Steps
With a licensed instance and a registered application, you're ready to authenticate:
- Authentication → Obtain OAuth tokens and attach them to API requests
- Quick Start → Make your first authenticated API call in minutes
- API Playground → Explore live, runnable examples in the browser