Getting Started

Before You Begin — Kiteworks REST API Prerequisites

Before making your first Kiteworks REST API call, you need a licensed Kiteworks instance, a registered custom application, and familiarity with REST, OAuth 2.0, JSON, and HTTP. This guide walks you through each requirement.

Prerequisites

The Kiteworks REST API builds on a set of widely-used web standards. You should be familiar with the following concepts before working with the API:

REST

Representational State Transfer architectural style and its constraints — resources, statelessness, and uniform interfaces.

OAuth 2.0

The OAuth 2.0 authorization framework, including grant types, access tokens, and token scopes.

JSON

JavaScript Object Notation — the format used for all API request and response bodies.

HTTP

HTTP methods (GET, POST, PUT, DELETE), status codes, and request/response headers.

Multipart MIME

Multipart MIME request structure, used when uploading files alongside metadata in a single API call.

New to these concepts? The API Playground includes guided, runnable examples that let you explore the API hands-on before writing any code.

Licensing Requirements

The REST API is available on every Kiteworks Enterprise package that has the Developer Suite add-on enabled. You must confirm your license before attempting to register a custom application or call any API endpoint.

Check your license status

  1. Open the Kiteworks Admin console
    Sign in as an administrator and navigate to Application Setup → Licenses.
  2. Locate the API entry
    In the Features section, find the row labelled API.
  3. Confirm the status
    If the status reads Enabled, your instance is licensed and ready to use. If it reads Disabled or the row is absent, contact your Kiteworks account team to enable the Developer Suite on your license.
API calls made against an unlicensed instance will return 403 Forbidden. Confirm your license status before registering a custom application or configuring OAuth credentials.

Create a Custom Application

Every integration with the Kiteworks API requires a custom application — a registered entity that represents your product or script. The application record stores the OAuth credentials, permitted scopes, redirect URIs, and token lifetimes that Kiteworks uses to identify and authorize your requests.

You can create multiple custom applications to represent different integrations or workflows — for example, one application for a user-facing web app and another for an automated on-boarding script.

Register a new application

  1. Open the API Applications page
    In the Kiteworks Admin console, go to Application Setup → Apps and Plugins → API, then click Create Custom Application.
  2. Enter the application details
    Provide a Name and optional Description that clearly identify your integration. These are visible only to administrators.
  3. Select an authorization flow
    Choose the OAuth grant type that matches your integration:
    FlowUse when…
    Authorization Code Your application acts on behalf of a signed-in Kiteworks user (web apps, native apps).
    JWT Your application needs to impersonate Kiteworks users in a secure server-side environment. Do not use for public clients.
    JWT requires additional setup. If you select the JWT flow, you must also configure an RSA public key, issuer, audience, and subject attribute on this application — and generate a matching private key on your server. The Authorization Code flow does not require this. See JWT Bearer Flow — Application setup for the full list of required fields and a step-by-step key generation command.
  4. Configure token and redirect settings
    Set the remaining fields:
    • Enable refresh token — allow access tokens to be refreshed without re-authenticating the user.
    • Redirect URI — the URL Kiteworks sends the user to after authorization. Must exactly match what your application expects. Supports https://, custom schemes (e.g. myapp://), and the %%HOST%% placeholder for the current Kiteworks hostname.
    • Access token lifetime — how long an access token remains valid.
    • Refresh token lifetime — how long a refresh token can be used (only shown when refresh tokens are enabled).
  5. Configure access control
    Under Access Control, choose who can use this application. Toggle Allow All Users on to permit every Kiteworks user, or leave it off and enter specific email addresses in Allowed Users. Similarly, toggle Allow All IPs on to accept requests from anywhere, or specify individual IP addresses or CIDR ranges in Allowed IPs.
  6. Select API scopes
    Choose only the scopes your integration requires. Scopes define exactly which API endpoints and actions your application can perform. Consult your administrator for available scopes.
  7. Save and copy your credentials
    Click Add Application. Kiteworks displays the Client Application ID and Client Secret Key — copy all three to a secure location immediately. They are shown only once.
Protect your credentials. The Client Application ID and Client Secret Key cannot be changed after creation. Anyone who obtains them can access your Kiteworks instance. Store them in a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) and never commit them to source control.

Test your application

Once created, you can test your application's credentials against the interactive API explorer at:

API Explorer URL
https:///rest/index.html

Frequently Asked Questions

Do I need a special license to use the Kiteworks REST API?

Yes. API access must be enabled for your Kiteworks instance. You can confirm this in the Admin console under Application Setup › Licenses. If the API option is not present or disabled, contact your Kiteworks account team.

What technical knowledge do I need before using the Kiteworks API?

You should be comfortable with REST principles (HTTP verbs, status codes, and URL structures), OAuth 2.0 authorization flows, JSON request and response bodies, and multipart MIME for file uploads. No specialized Kiteworks knowledge is required before starting.

Do I need to create a custom application in Kiteworks?

Yes. Every API integration requires a registered custom application in your Kiteworks Admin console. The application provides the client ID, client secret, redirect URI, and OAuth scopes that your code needs to obtain an access token.

Where can I find the Kiteworks API reference documentation?

The interactive API reference is available at https:///rest/index.html on your Kiteworks instance. You can also browse the API Reference in this developer portal for a full listing of all endpoints.

Can I register multiple custom applications for the same Kiteworks instance?

Yes. You can register multiple custom applications on a single Kiteworks instance — for example, one for each integration or environment (development, staging, production). Each application gets its own client credentials and scope configuration.

Next Steps

With a licensed instance and a registered application, you're ready to authenticate: