REST API Specification – Authentication


Before you can use any API functions, you need to authenticate a user.

  • Description: Authenticate user.
  • URL structure: http://zurmo_url/index.php/zurmo/api/login
  • Method: POST
  • HTTP header parametres:
    Accept: application/json
    ZURMO_AUTH_USERNAME: %username%
    ZURMO_AUTH_PASSWORD: %password%
  • Parameters: None
  • PHP example:
    public function login($username, $password)
        $headers = array(
            'Accept: application/json',
            'ZURMO_AUTH_USERNAME: ' . $username,
            'ZURMO_AUTH_PASSWORD: ' . $password,
        $response = ApiRestHelper::createApiCall('http://zurmo_url/index.php/zurmo/api/login', 'POST', $headers);
        $response = json_decode($response, true);
        if ($response['status'] == 'SUCCESS')
            return $response['data'];
            return false;
  • Return:
    Data contains array of sessionId and token elements.

    Response example:


Leave a Comment

  • Brian Stewart

    I’ve tried doing the above but I only get a response 302 redirect

    as anything changed in the API with the release to 1.0?

    • Ivica Nedeljkovic

      No we haven’t changed anything.
      But did you entered correct api url, instead ‘zurmo_url’ string? This login url usually look like(note ‘/app/’ in this url):

      If this doesn’t help, I suggest you to try to execute unit tests, to ensure that API is working fine.

      • Brian Stewart

        Hi Ivica,

        I’ve checked again and when running the url I now get a 404 error (not found )

        /app/index.php/zurmo/api/login was not found on this server

        Really confused as the api did work fine last time.

        • Ivica Nedeljkovic

          Can you try to access url like this(replace zurmo.local with your zurmo url)

          You should get an PHP error in this case, not 404 error.

          • Brian Stewart

            Ok not to worry

            the problem was because zurmo is installed in a subdirectory called zurmo so if i changed the url to


            all works !

          • alex

            Can I call this rest api from outside the zurmo app, For example, in my own site I want to call this api to get an access token. Is this posible.

          • Brian Stewart


            I’ve tried but I’m getting 404 errors

          • Ray Stoeckicht

            We have Developer Sessions every Tuesday at 10:00AM Chicago Time ( You can always join an upcoming session and ask any questions to our technical team.

  • Ramkumar Murugadoss

    What is the default session timeout and in which cases the token will expire?

    • Ivica

      Session works same like for web application. Token expires at same time with session.

  • Chuck

    I am receiving an error when following this example. Has anything changed? using v1.6 and the response is: ApiExceptionnInvalid API request type.

    • Ray Stoeckicht

      I think this might have been you who posted on the Forums:

      If possible, jump on the Dev Session in 10 minutes and we can go over it.

      • nyaray

        Hey, it’s great that you have the Dev Sessions, but can’t you put the answers to the questions up if they’re answered during the sessions? Or do you do that and put them up somewhere else?

        The reason I ask is because we’re getting the same issue on 2.2.6

        • Ray Stoeckicht

          Yes, we post answers to questions from the Dev Session. Usually, we start with questions from people on the session, then we go to the Forums (

          We could probably do a better job answering questions from wiki articles like this. You could also ask questions on the forums and you might receive a quicker response from a forums member or someone on the Zurmo team.

  • nonmaskable_developer

    i am developing a script which will sync google calendar, to add a calendar entry into a meeting i need to call zurmo login API, which takes username and password as input

    I have to perform this as a cron job where username and password would not be stored in database. How would i call login API then ?

  • nyaray

    This wasn’t working for us. The reason was a newer apache version (greater than or equal to 2.4, to be specific) dropping headers containing underscores (‘_’). This is somehow (haven’t looked into the details) to prevent header injection vulnerabilities.

    The solution was to make requests with the header names described in the documentation rewritten to have dashes (‘-’) instead of underscores (‘_’).

    Hope this helps someone,
    peace out!

    • Ray Stoeckicht

      Thanks for posting the fix. You rock. Hope this helps some people who were having the same issue.

    • Mikhail Kalatchev

      The IIS 7.5 has similar problem. I found, that IIS 7.5 rewrites headers of type “SOMETHING_OTHER” to “Something-Other”. Underline is turned into dash and casing is changed. Just to get worse, in php 5.5 for Windows function_exists(‘getallheaders’) returns true! This totally compromise REST module. I had to modify code (ver. 2.6.1) to make it work. Zurmo’s concept of headers whould be revised.

    • Shaun Wilders

      Thanks so much! Been struggling with this for some time.

    • Shuai Yang

      Thanks so much!

    • Mario

      Yesssss.. Please someone update the docs.

  • Subin Babu

    I am a newbie…Where should I put this php sample in the Zurmo folder structure and how to call for authentication??I need to used REST api to call jobmanager ..Is this possible?

    Appreciate your help
    Subin Babu

  • alex

    Can I call this rest api from outside the zurmo app ?, For example, in my
    own site I want to call this api to get an access token. Is this

  • ankur


    how to do url Authentication in php.

    • ankur

      plz help me out.