Authentication, Authoring & Content, Development Tools, Mobile Apps

Turn your Joomla website into a webservice to manage SSO, integrate with enterprise infrastructure, power mobile apps and more!

  • Get this
  • Favourite
  • Report

Extend functionality with plugins

Take advantage of our growing library of API webservices plugins.

Save your application servers

Built-in API rate throttling can be configured globally or an a per-token basis. Provides intelligent feedback which API consumers can use to proactively throttle requests before hitting hard limits.

Control access without the hassle

Leverage Joomla's robust ACL to control access to any add-ons, routes or request-types. Expert users can leverage Joomla's pluggable authentication architecture to open up corporate middleware and SSO capabilities.

How does it work?

cAPI injects the Slim micro-framework into the Joomla application instance, allowing for service route plugins to be built at any level of the event stack. But that's only the beginning!

A Services Control Panel manages the creation of JSON REST API access tokens, Slim framework parameters and API rate limitation rules. This allows an administrator to create tokens mapped to specific Joomla users who in turn are assigned unique group permissions using Joomla ACL.

The service routes are built into Joomla plugins which can be enabled / disabled or assigned access permissions individually. This opens the door for development of feature expansions to the core cAPI services to expose 3rd party Joomla extensions, database querying or even remote LDAP (Microsoft Active Directory) as RESTful JSON APIs.

Additional Notes

After installation, make sure to enable the newly installed cAPI plugins. In the future we will enable all install plugins by default. Also, please make sure that you secure your public websites via HTTPS before enabling API functionality.

Change Log

cAPI v1.3.5

  • Fix GET /tag/types response to JSON decode any encoded fields.
  • Add en-GB language definitions for token views.
  • Add en-GB definition for COMSERVICESTOKENS_ACTIONS
  • Update docblocks to parameterize license, copyright, author and version for build plan.
  • Temporary update to improve compatibility with CORS on different browsers until a more granular solution is implemented.
  • Allow for blank or null dlid values.
  • Create validation rule class JFormRuleCapidlid for capidlid and move function setDlid() into this validation rule.This allows for dlid updates on save and save & close and ensures only validated input is saved.
  • Resolve bug which prevented the cAPI download ID from properly being assigned to the extension update site.* Remove dedicated capi/dlid library and associated ARS dlid API methods and refactor that functionality into a custom Joomla field for com_services administration.
  • Remove Akeeba Release System (ARS) API method GET /ars/dlid
  • Update downloadid field schema
  • Remove dlid from capi services and add capidlid.php custom field class to com_services models.
  • Resolve issues with token and tokens views and configure administrator custom field token.xml
  • Token custom field for administrator and site token edit view.Userid for site token edit view, required to force pre-population of userid of current session.
  • Resolve bug with status icon in tokens list.
  • Remove mode and debug from tokens administrative view.
  • Update com_services admin images
  • Update language definitions.
  • Remove api_throttle front-end filter item
  • Add userid.php class to /administrator/com_services/models/fields/
  • Compatibility updates to /administrator/components/com_services/views/token/tmpl/edit.php
  • Create com_services administrative model field class token.php
  • Compatibility updates to /administrator/components/com_services/views/token/view.html.php
  • Compatibility updates to /administrator/components/com_services/views/tokens/tmpl/default.php
  • Update docblocks with variablized fields.
  • Compatibility updates to /administrator/components/com_services/views/tokens/view.html.php
  • Update docblocks with variablized fields.
  • Corrections to controller.php docblock
  • Remove history from component configuration.
  • Create custom read-only front-end field userid.php to populate tokenform.
  • Create custom front-end field type: token
  • Remove fixed default token value in front-end view and make read-only
  • Include front-end view classes for tokens.
  • Update joomla-packager.xml to prevent errant deletion of build directory folder.
  • Include installer structure.xml with com_services component.
  • Compatibility updates to com_services services.xml
  • Update joomla-packager to place media files in correct location in compiled package and updated services.xml to include parameters for media file installation.
  • Increment version to 1.3.5 and updated copyright date to 2018.
  • Resolve bug which results in the following error when any level of error reporting is enabled."NOTICE: Trying to get property of non-object"
  • Include postflight() function in comservices script.php to automatically enable services plugins, included with pkgcapi_core, after they have been installed.
  • Revert work on package manifest installer script.Move functionality into component installer script.
  • Update joomla-packager.xml to handle Package install scripts.
  • Update package script name and manifest reference to pkgcapicore.php
  • Include reference to package script file pkg_script.php
  • Removed commented-out parameters from com_services services.xml
  • Remove plugin install function from script.php
  • Revert changes to language file folder definition.
  • Ensure /installer/structure.xml is created in build, but removed from original directory /administrator/installer/
  • Updated to accommodate structure.xml
  • Compatibility updates to /components/com_services/services.php
  • Compatibility updates to /components/com_services/router.php
  • Compatibility updates to /components/com_services/controller.php
  • Update copyright year in doc blocks
  • Compatibility updates to /components/com_services/views/swaggeruimisc/view.html.php
  • Compatibility updates to /components/com_services/views/swaggerui/view.html.php
  • Compatibility updates to /components/comservices/views/slimphpframework/tmpl/defaultfilter.php
  • Compatibility updates to /components/com_services/views/slimphpframework/view.html.php
  • Compatibility updates to all front-end model fields. Includes two new fields:filemultiple.php modifiedby.php
  • Add token form and filter xml files to front-end model forms.
  • Compatibility updates to /components/com_services/models/slimphpframework.php
  • Add front end models for token management.
  • Compatibility update to /components/com_services/helpers/services.php
  • Add front-end controllers for token management.
  • Compatibility update to /components/com_services/controllers/slimphpframework.php
  • Compatibility update to /plugins/search/services/services.xml
  • Compatibility update to /plugins/search/services/services.php
  • Add com_services media to component
  • Update config.xml with comment block including latest examples of fields.
  • Compatibility update to /administrator/components/com_services/script.php
  • Compatibility update to com_services config.xml
  • Compatibility updates to /administrator/components/com_services/controller.php
  • Compatibility updates to /administrator/components/com_services/services.php
  • New administrator model field modifiedby.php
  • New administrator model field filemultiple.php
  • Compatibility update to services.css
  • Compatibility updates to /administrator/components/com_services/controllers/token.php
  • Compatibility updates to /administrator/components/com_services/controllers/tokens.php
  • New com_servers administrator helper class listhelper.php
  • Compatibility updates to /administrator/components/com_services/helpers/services.php
  • Compatibility updates to /administrator/components/com_services/models/fields/timeupdated.php
  • Compatibility updates to /administrator/components/com_services/models/fields/timecreated.php
  • Compatibility updates to /administrator/components/com_services/models/fields/foreignkey.php
  • Compatibility updates to /administrator/components/comservices/models/fields/customfield.php
  • Compatibility updates to /administrator/components/com_services/models/fields/createdby.php
  • Compatibility update: include /administrator/components/comservices/models/forms/filtertokens.xml
  • Remove token default setting in token.xml
  • Compatiblity updates to /administrator/components/com_services/models/forms/token.xml
  • TODO: These administrator model classes will needs to be updated in a future release:- slimphpframework.php - swaggerui.php
  • Compatibility updates to /administrator/components/com_services/models/token.php
  • Compatibility updates to /administrator/components/com_services/models/tokens.php
  • New sql update script: update.mysql.utf8.sql
  • Remove default time for checkedouttime and last_used.
  • Update class ServicesTabletoken to match current Joomala development guidelines.
  • Updated GET /token/manage/all to required either general core.admin or comservices core.admin in order to list all tokens.IMPORTANT: Within Service Control Panel > options > permissions, a group should NOT be given "Configure ACL & Options" privilege if the administrator does not intend that group to have core.admin privilege on comservices.
  • Updated security on updateTokenServicesRestManage() and deleteTokenServicesRestManage() - restrict to core.edit.own privilege on specified $tokenid
  • Remove check preventing requester from deleting the same token used to authenticate access to the method.Updated permissions to allow non-core.admin users to delete their own tokens.
  • Update tokenServicesRestManage() to allow own-token updates in current session.

cAPI v1.3.4.4 is a bug-fix release.

  • Increment to version
  • Update function createTokenServicesRestManage() to allow own-token creation by any registered user, while restriction token creation, on behalf of other users, for requesting accounts which have core.create privilege on com_services.
  • Update docblock for updateTokenServicesRestManage() to include @throws Exception
  • Configured createTokenServicesRestManage() to allow token creation for:

    • Self
    • Other users if core.admin or if core.manage
    • If not core.admin, requesting user must have access to all groups of target user ID (when userid is defined)

    • Affects methods:

    • POST /token/manage/userid/{userid}
    • POST /token/manage/

cAPI v1.3.4.3 is a bug-fix release.

  • Increment to version Change joomlaID to j38
  • Resolved errors caused by undeclared, nested class objects.
  • Change minimum permission for GET component/model and GET component/list/all to core.login.admin
  • TODO: Improve access control check compatibility with various security modes for core and 3rd party extensions.

cAPI v1.3.4.2 was a bug-fix release.

  • Update version to
  • Require "Super User" (core.admin) privileges to access complete components list.
  • Create method GET /component/model to allow retrieving Model class information only. Helps with introspecting third-party Models which may not have known/standard Model methods.
  • Include modelMethod and modelMethodArguments (json) request parameters to GET /component/model/data to accommodate different Model class getters.
  • For GET /component/model/data, use calluserfunc_array to call designated $modelMethod on $instance object with any number of arguments passed as JSON encoded array $modelMethodArguments.
  • Include HTML error codes for invalid requests.

cAPI v1.3.4.1 was a bug-fix release.

  • Remove unnecessary path debug in GET component/list/all response.
  • Update URL for "Find out more about cAPI" link.
  • Change $extension->name to $extension->element
  • Update to version

cAPI v1.3.4

  • Improve error trapping for GET component/model/data
  • Validate getInstance for getComponentModelData
  • Validate JTable::getInstance input for getComponentTableDataById
  • Build advanced filtering for getComponentModelData
  • Implement Joomla ACL per component and individual asset item.
  • New method getComponentModelData
  • Complete development on getComponentTableDataById.Include getclassmethods boolean check in URLparameter to allow class methods and associated parameters to be included in the response (requires core.edit for related component).
  • Update getComponentTableData to getComponentTableDataById.Method will return table data for single ID request.
  • Create method getComponentTableData
  • New method getComponentTableFields for returning component fields.
  • Initial work completed on getComponentListAll. Returns list of all components, along with table and model classes for "site" and "administrator" contexts.
  • Include Basic Authentication SecurityScheme definition.
  • Methods to allow Basic Authentication through Authorization header or force HTTP Apache Auth via URL variable basic_auth=true.
  • Create new class ServicesJoomlaHelpersComponent().
  • Increment to version 1.3.4.

Excellent support

Posted on 11 July 2017

Allowed us to easily create a mobile application as an extension of the existing Joomla site that uses the same authentication details.

Ease of use

Very easy to use.


Great support from the developer, he personally helped to solve all my initial issues, caused by incorrect config of our Joomla site.

Value for money

Good value for money

I used this to: Mobile apps authentication


Last updated:
Feb 28 2018
Date added:
Sep 16 2016
GPLv2 or later
Paid download

Uses Joomla! Update System

Demo Support Documentation
  • Overall
  • Functionality

  • Ease of use

  • Documentation

    Not rated
  • Support

  • Value for money