This page answers a common pre-purchase question: "Does XSender have an Admin REST API so I can manage users, plans, devices, or gateways from another system?"
Short answer: partially. XSender's HTTP surface is intentionally focused on messaging — the things you do every minute. Administrative actions (CRUD on users, plans, gateways, settings) live in the admin panel because they are configured rarely and are security-sensitive. Below is a precise breakdown of what is exposed today, what is not, and how to achieve common "admin from outside" goals.
| Capability | Available via API? | Endpoint |
|---|---|---|
| Send Email / SMS / WhatsApp | ✅ Yes | POST /api/{channel}/send |
| Read dispatch / log status | ✅ Yes | GET /api/get/{channel}/{uid} |
| Trigger an automation workflow | ✅ Yes (webhook) | POST /api/automation/webhook/{id} |
| Receive ESP delivery events | ✅ Yes (webhook) | POST /api/webhook/email/{provider} |
| Capture Meta / Google Lead Ads | ✅ Yes (webhook) | POST /api/webhook/meta-lead-ads, POST /api/webhook/google-ads-lead |
| Register / re-link an Android device | ✅ Yes | POST /api/gateway/sms/android/register-session |
| Manage SIMs on a device | ✅ Yes | /api/gateway/sms/android/sim/* |
| Create / suspend / delete a user | ❌ Admin panel only | — |
| Assign a plan, top-up credit | ❌ Admin panel only | — |
| Add / edit a gateway, change credentials | ❌ Admin panel only | — |
| Edit global settings (SMTP, app URL, branding) | ❌ Admin panel only | — |
The same POST /api/{channel}/send endpoint behaves differently depending on which key you authenticate with:
| User key | Admin key | |
|---|---|---|
| Gateways available | User's own gateways + ones the admin shared with them | All admin-configured gateways |
| Plan / credit enforcement | Yes — credit is deducted, quota is enforced | No — admin sends bypass plan limits |
| Counts against analytics | Yes — under that user | Yes — under "admin" tenant |
| Webhook source identification | user_id populated | user_id = null, by_admin = true |
Use the admin key for system-of-record traffic that should never fail due to plan limits (your own transactional emails, internal notifications). Use a user key for everything tenant-attributable.
Today this requires either:
php artisan xsender:user:create and xsender:plan:assign — you can SSH or use a cron-runner to invoke these.A formal Admin REST API for user/plan CRUD is on the v4.6 roadmap. If you need it sooner, get in touch — most installations have shipped a thin add-on package that exposes exactly the admin endpoints they need, secured with mTLS or IP allow-list.
Use the Automation Trigger Webhook — see Webhooks — Incoming Triggers. The unguessable per-workflow URL means you can hand it to a third-party platform without sharing your master API key.
For 1–10 phones, pair each by QR scan in the admin panel. For larger fleets, use the Android SMS Gateway API's register-session endpoint — your MDM (Mobile Device Management) software can push pairing tokens to devices at provisioning time.
Not currently available over HTTP. Use the bundled Schema Reconciler / settings export CLI tool — see the Configuration section.
For completeness, the admin panel itself supports role-based access:
Admin → Staff.These roles do not yet bind to API tokens — every API key carries the full permissions of its owner.
Admin Profile → Security.allow/deny in the /admin location).repair.php recovery tool — when present in the public directory — is gated by a token and self-deletes after a successful run. Re-upload it only when you actively need it.Tell us your use case in the support channel. The Admin REST API is being expanded for v4.6, and prioritisation is driven by real-world requests.