Skip to main content

Base URL

All API requests are made to your tenant’s subdomain: 
https://{tenant}.ekso.app/api/

Authentication

The Ekso API uses Bearer token authentication. Include your JWT token in the Authorization header of every request: 
Authorization: Bearer <your-token>
Tokens are obtained via the OAuth 2.0 authorization code flow with PKCE.

OAuth 2.0

Ekso implements OAuth 2.0 with the following endpoints:
EndpointURL
Discovery/.well-known/oauth-authorization-server
Authorization/authorize
Token/token
Client registration/register
Supported grant types: authorization_code, refresh_token Code challenge method: S256 (PKCE required)

Error Handling

All error responses share a consistent shape: 
{
  "kind": "Validation",
  "message": "Human-readable error description",
  "fields": [
    { "field": "email", "code": "required" }
  ]
}
HTTP StatusKindWhen
400ValidationField-level validation errors — check the fields array
403PermissionInsufficient permissions for this action
422LogicBusiness rule violation (e.g., item not found, invalid state transition)
500ExceptionInternal server error
The fields array is only populated for Validation errors.

Versioning

The API supports versioning via multiple methods:
MethodExample
Query string?api-version=1.0
URL segment/api/v1.0/...
Headerx-api-version: 1.0
Media typeAccept: application/json; x-api-version=1.0
If no version is specified, the latest version is used.

Rate Limits

API endpoints are rate-limited to 50 requests per second per IP address. When the limit is exceeded, the API returns HTTP 429 Too Many Requests.

Response Format

All responses use JSON (application/json). Successful responses return HTTP 200 with the data payload directly in the response body.