Create a "Remote" User in the ISPConfig UI. Check boxes there to assign permissions for the kinds of queries that can be processed by that user.

Almost all API queries require a session_id. To get that, call the login function, sending the remote username and password. The response will be a single value which will be used as your session ID for a limited time period for all other requests.

Finishing with a logout request is recommended, but optional since the session IDs expire.

Rather than using a single integer ID as a primary key selector (domain_id, group_id, etc), use -1. Where the primary key for a _get request is a string, use an empty array ' [] '. Do not use an empty string ' "" ', which is itself a valid string and will/should return an empty array result.

No, there are no default values except where explicitly noted. For example, in the system_config_get function, the key element is optional because it is documented as defaulting to an empty string. For all requests, except where documented otherwise, send all documented parameters.

The REST API supports all functions and can be exactly substituted for SOAP examples. For all functions, the request and response parameters are the same for SOAP and REST.

The documentation details request and response parameters which can be passed using any language or toolchain. The URL always includes the function name. Queries are always sent via POST. The result is always in the same JSON format. Use Postman or another tool to generate code in your preferred languages.

If a parent ID is invalid, a transaction may be accepted, with a record created under a different parent entity.

Carefully check the names and values being sent. Invalid name/value pairs are ignored. A request that does not include a valid request paramenter is requesting nothing, so the return value is nothing. The query was successful, and returned no data.

The documentation shows PHP function syntax. SOAP and REST parameters do not include the leading $dollar-sign

Based on the above you may be thinking there is very little error checking with this API. That is correct. As noted by Jesse Norell:

"The api is largely just an interface to the database tables, and will usually accept what you send, whether that's consistent/correct or not. It can be a feature, eg. you can create a mail alias first before creating the mailbox to which it forwards, but it does mean you have a lot more testing to do on your side because you can't just rely on an error to be thrown if you send inconsistent data."

These fields are referenced often in the developer forum and in code, usually with some confusion. These internal database fields are used in SQL queries to determine parent/child client relationships. The fields are not passed to API calls, with the exception of one function, client_get_id which is a convenience function to return the client_id for a sys_userid. In the past other functions included these keys in the request. Now, when a function request includes a client_id, at query time a lookup is done to get the internal sys_userid for that client.

The sys_userid can identify the creator of a record. This may be the ID of the local/UI user or the remote/API user that is logging in to create records. If a client record is created without a reseller, both the sys_userid and the sys_groupid are the same user ID.

If a client record is created with a reseller, the meaning of the fields is completely different. The sys_userid is not a logged-in user ID. It is a new ID that represents the client under the reseller. The sys_groupid for a client under a reseller is (a foreign-key to) the sys_userid of the client record for the reseller. In this scenario, the sys_groupid establishes a child-to-parent relationship.

The 'domains_' functions update the 'domains' table, which is used by the domain limit module. Clients and resellers are restricted to the domains in this table. To activate domain limits, go to System > Interface > Main Config, then to the Domains tab. Logout/in. Then go to Sites, Add or Edit a site, the "Domain" dropdown list uses this table.

Maybe something you write...