k12panel API concepts
A few ideas make the whole API easier to use.
Record IDs
Every asset, person, site, and group has a numeric ID — for example 4021. This is the same ID you see in the app's web address and in your CSV exports, so an ID from an export works directly with the API and vice-versa. Once you know a record's ID, it's a permanent handle to that record.
Finding records by what you already know
You usually don't know the ID up front — you know a serial number, an asset tag, or an email address. So you look records up first, then use the ID you get back:
- Find assets by
serial,asset_tag, orname. - Find people by
emailorname.
# Find an asset by serial, then read its id from the response
curl -H "Authorization: Bearer $KEY" \
"https://<your-panel-domain>/api/public/v1/assets?serial=5CD1234XYZ"
Match rules: serial, asset_tag, and email match exactly (case-insensitive); name matches partially (contains). Because serials and emails aren't guaranteed to be unique, a lookup can return more than one record — see Handling errors.
Reference data
To fill in things like a site when updating an asset, you first need the IDs of your sites, groups, and classes. These are available read-only:
GET /sitesGET /org-unitsGET /person-groupsGET /asset-classesGET /asset-tagsGET /meta— the allowed values for fields like an asset's state
Check-in and check-out
An asset can be checked out to exactly one person at a time. Checking out records who has the device and adds an entry to both the device's and the person's history. Checking in clears it. This is exactly how check-in/out works in the web interface.
When you check a device in or out through the API, the history entry is attributed to the key's name (shown as APIKEY_<name>), so API actions are easy to tell apart from actions a staff member took in the app.
You can identify the person either by their ID or by email — you don't have to look them up first:
{ "person": { "email": "jsmith@school.org" } }
Keys and permissions
Your key belongs to one organization and only has the permissions you granted it. Keep it secret (treat it like a password), and revoke or rotate it any time from Settings → API Keys. See Getting started.