API Documentation ================= BBBLB implements the `BBB API `__ and serves those routes under the standard ``/bigbluebutton/api/*`` path. It also provides its own management API under the ``/bbblb/api/v1/*`` path. This API is described here. .. _tokenauth: Token Authentication -------------------- Most non-public BBBLB APIs are protected with JWT tokens that need to be signed by a trusted party and provided as an ``Authorization: bearer `` header. There are three types of tokens: - **Admin Tokens** are signed with the global ``BBBLB_SECRET`` and allow admins or automation tools to manage and control BBBLB at runtime. Only BBBLB admins can create those tokens. Their permissions can be limited with *scopes* (see below). - **Tenant Tokens** are signed with the tenant-specific API secret, which allows tenants to create their own tokens. Those are of course limited to tenant-owned resources. - **Server Tokens** are signed with the back-end server API secret, which allows back-end BBB servers to generate their own tokens. Those are limited to very specific actions, e.g. uploading recordings or signaling server state. You can use the ``bbblb maketoken`` command to create all three types of token. .. code:: sh # Admin Token $ bbblb maketoken -v --expire 600 admin1 admin Token Header: {} Token Payload: {'sub': 'admin1', 'aud': 'bbb.example.com', 'scope': 'admin', 'jti': 'd31651f68f8b7a4c', 'exp': 1763460734} eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1p[...] # Server Token $ bbblb maketoken -v --expire 600 --server node01.example.com bbb1 Token Header: {'kid': 'bbb:node01.example.com'} Token Payload: {'sub': 'bbb1', 'aud': 'bbb.example.com', 'jti': 'b9a1383f61b39585', 'exp': 1763460734} eyJhbGciOiJIUzI1NiIsImtpZCI6ImJiYjpub2RlMDEuZXhhbXBsZ[...] # Tenant Token $ bbblb maketoken -v --expire 600 --tenant default default1 Token Header: {'kid': 'tenant:default'} Token Payload: {'sub': 'default1', 'aud': 'bbb.example.com', 'jti': '7e48835a2bef9315', 'exp': 1763460734} eyJhbGciOiJIUzI1NiIsImtpZCI6InRlbmFudDpkZWZhdWx0Iiwid[...] Token Scopes ~~~~~~~~~~~~ The ``scope`` claim can be used to limit permissions for *Admin tokens*. The claim should be a space-separates string of scopes. Scopes have no effect for tenant- or server-tokens. Those have hard-coded scopes and are limited to very specific actions. - ``rec`` Manage recordings. This parent scope implies all ``rec:*`` scopes. - ``rec:list`` List recordings. - ``rec:create`` Import new recordings. - ``rec:update`` Edit or publish/unpublish recordings. - ``rec:delete`` Delete recordings. - ``tenant`` Manage tenants. This parent scope implies all ``tenant:*`` scopes. - ``tenant:list`` List tenants. - ``tenant:create`` Create new tenants. - ``tenant:update`` Update tenants. - ``tenant:delete`` Delete tenants. - ``tenant:secret`` View and change the tenant secret. - ``server`` Manage backend servers. This parent scope implies all ``server:*`` scopes. - ``server:list`` List all servers. - ``server:create`` Register new servers. - ``server:update`` Update servers and server state. - ``server:delete`` Delete servers. - ``self:tenant`` Special scope that is assigned to self-signed tenant tokens. - ``self:server`` Special scope that is assigned to self-signed server tokens. - ``admin`` This scope grants full access. It implies all other scopes. API Endpoints ------------- BBB API ~~~~~~~ .. _BBBAPI: https://docs.bigbluebutton.org/development/api/ BBBLB implements the official `BBB API `_ available under the standard ``/bigbluebutton/api/*`` path. With BBBLB, each tenant uses their own private API secret to generate the `checksum` for BBB API calls. To learn how to access this API and how to authenticate, please refer to the `official documentation `_. .. rubric:: Limitations Some BBB APIs cannot be fully implemented by a load balancer or require additional work. None of this should affect the typical front-end application, but here is a list of all known limitations or deviations: * ``getJoinUrl`` is an internal API used exclusively by HTML5client and not available to front-end applications. See `Issue #24212 `_. * ``putRecordingTextTracks`` and ``getRecordingTextTracks`` require processing steps on the back-end BBB server that would not be reflected in already transferred recordings. We may find a way to implement this in the future. Scalelite does not implement those APIs. * The root resource at ``/bigbluebutton/api/`` will only return minimal information and not the recently added graphql endpoint information. Those are used exclusively by HTML5client and should not be of any interest for front-end applications. * The ``getRecordings`` listing has an upper limit of ``BBBLB_MAX_ITEMS`` even if the client requested more items. * The ``join`` API will redirect the client twice. The first redirect will point to a new join url on the actual BBB server. This only affects clients that handle the redirect target in some special way instead of just following it. Webhooks ~~~~~~~~~~~~~~~~~~~~~~ BBB defines a bunch of webhooks that front-ends can use to get notified about ended meetings or finished recordings. BBBLB hooks into those webhooks and forwards them to the actual front-end. Most newer webhooks in BBB are protected by wrapping their entire payload into a non-standard JWT token that is signed with the BBB API secret. Since BBBLB sits in between the front-end and the actual BBB server, it has to intercept those webhooks, verify the token against the back-end secret, re-sign the token with the tenant-specific font-end secret, and then forward the request to the original target url. This happens automatically for all *known* callbacks, and can be enabled for additional callbacks if needed. The ``endMeetingURL`` and ``meta_endMeetingURL`` webhooks are usually not authenticated at all. BBBLB intercepts the ``endMeetingURL`` webhook to quickly clean up its own meeting state after a meeting ends. To protect this webhook from abuse, BBBLB will create a *signed* URL using its own ``BBBLB_SECRET``. This is transparent to the front-end, tenants are allowed to use both webhooks without limitations. Recording Upload ~~~~~~~~~~~~~~~~ * **POST** `/bbblb/api/v1/recording/upload` (Content-Type: *application/x-tar*) The recording upload API expects an *application/x-tar* archive of a recording directory, optionally compressed with gzip. The tar archive can actually contain multiple recordings or recording formats. Any directory that contains a `metadata.xml` is considered during the import process. .. rubric:: Authentication This endpoint requires a :ref:`Server Token `, or an :ref:`Admin Token ` with the `record:create` scope. .. rubric:: Parameters ============== ======== =========== Parameter Location Description ============== ======== =========== `Content-Type` header Must be `application/x-tar`. `*` body A tar or tar.gz archive with recording data. `tenant` query Assign all records to a specific tenant instead of auto-detecting the tenant from recording metadata. ============== ======== =========== .. rubric:: Response Recording import triggers background tasks for the actual import. A ``202 Accepted`` response will indicate that the upload was successful, but the actual import will happen later. .. rubric:: Examples .. code-block:: bash API="https://bbblb.example.com/bbblb/api/v1/recording/upload" TOKEN="..." MEETING="d48a35e5c9bef7d5ca0f507c969e3d17a6005abf-1763452847184" FORMAT="presentation" tar -c "/var/bigbluebutton/published/$FORMAT/$MEETING/" \ | curl -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/x-tar" \ -X POST -T - "$API" Tenant Management ~~~~~~~~~~~~~~~~~ TODO (API is not stable yet) Server Management ~~~~~~~~~~~~~~~~~ TODO (API is not stable yet)