Skip to main content
GET
/
api
/
consumer
/
v1
/
Consumer API
curl --request GET \
  --url https://api.restrafes.co/api/consumer/v1/ \
  --header 'X-API-Key: <api-key>'
import requests

url = "https://api.restrafes.co/api/consumer/v1/"

headers = {"X-API-Key": "<api-key>"}

response = requests.get(url, headers=headers)

print(response.text)
const options = {method: 'GET', headers: {'X-API-Key': '<api-key>'}};

fetch('https://api.restrafes.co/api/consumer/v1/', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
package main

import (
"fmt"
"net/http"
"io"
)

func main() {

url := "https://api.restrafes.co/api/consumer/v1/"

req, _ := http.NewRequest("GET", url, nil)

req.Header.Add("X-API-Key", "<api-key>")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
The Consumer API provides programmatic access to XCS access control features. It is designed for automated systems that need to interact with the platform without a browser-based session.

Base URL

https://api.restrafes.co/api/consumer/v1

Authentication

All Consumer API requests require an API key passed in the X-API-Key header:
curl -H "X-API-Key: your-api-key-here" \
  https://api.restrafes.co/api/consumer/v1/
Organization API keys are generated from the organization management page on the XCS dashboard. The API key must be authorized for the organization and resource you are trying to access.
Keep your API key secure. Do not share it in client-side code, version control, or public channels. If a key is compromised, revoke it from the dashboard and generate a new one.

Endpoints

MethodPathDescription
GET/Root health check — returns API status
GET/pingPing with version information
GET/organizationsList organizations authorized for this API key
POST/access-points/{id}/remote-unlockTrigger a remote unlock on an access point

Health Check

Verify that the API is reachable and your API key is valid.
curl -H "X-API-Key: your-api-key-here" \
  https://api.restrafes.co/api/consumer/v1/
Example response:
{
  "status": "ok",
  "service": "consumer-api"
}

Ping

Check API version and connectivity.
curl -H "X-API-Key: your-api-key-here" \
  https://api.restrafes.co/api/consumer/v1/ping
Example response:
{
  "status": "ok",
  "version": "2.0.0"
}

List Organizations

Retrieve the organizations that your API key is authorized to access.
curl -H "X-API-Key: your-api-key-here" \
  https://api.restrafes.co/api/consumer/v1/organizations
Example response:
[
  {
    "id": "org-uuid-here",
    "name": "My Studio",
    "role": "owner"
  }
]

Remote Unlock

See the Remote Unlock page for the complete reference, including request parameters, scope options, error handling, and the Roblox MessagingService integration.

Error Response Format

When an API request fails, the response includes:
{
  "error": "Description of what went wrong"
}
Some error responses also include a requestId field for debugging.

Common HTTP Status Codes

CodeMeaning
200Success
400Bad request — invalid parameters or missing required fields
401Unauthorized — invalid or missing API key
403Forbidden — API key not authorized for this resource
404Resource not found
422Unprocessable entity — configuration issue (e.g., missing Roblox Universe ID)
429Too many requests — rate limit exceeded
502Bad gateway — upstream service error (e.g., Roblox MessagingService failure)
504Gateway timeout — upstream service did not respond in time