/
How to Publish a REST API to X-Road?

How to Publish a REST API to X-Road?

These instructions guide Security Server administrators through the process of adding and registering a new subsystem in X-Road and configuring a REST API service for it. They cover both cases where the subsystem already exists and where it needs to be created, including approval steps and expected status changes. The guide also explains how to publish a REST service with an OpenAPI 3 service description, enable it, configure its access rights, and manage TLS certificate verification. The goal is to complete the basic setup required to make the service available to other X-Road members.

1. Add a New Subsystem

  1. In the Clients view, locate the Member who is publishing the service.

  2. Click the Add subsystem button in that Member’s row.

Screenshot 2025-06-23 at 9.57.34.png

  1. In the Add subsystem view:

    • If the subsystem already exists in the global configuration:

      • Click Select Subsystem and choose it from the list.

Screenshot 2025-06-23 at 9.58.40.png
Screenshot 2025-06-23 at 9.58.54.png

  • If the subsystem does not exist:

    • Enter the Subsystem Code and Subsystem Name.

  • In both cases, leave the Register subsystem checkbox selected.

  1. Click the Add subsystem button.

Screenshot 2025-06-23 at 9.59.05.png

  1. Confirm the registration by clicking Yes in the confirmation dialog.

Screenshot 2025-06-23 at 9.59.16.png

2. Subsystem Status and Naming Behavior

  • You will be redirected back to the Clients view, and a notification “Subsystem added” will appear at the bottom of the page.

Screenshot 2025-06-23 at 9.59.33.png

  • The newly added subsystem appears in the Clients list with the status “Registration in progress.”

    • If the subsystem was newly created, its name appears as “Undefined.” This is expected and will be updated once registration is complete.

    • If the subsystem already existed, the correct name will be displayed immediately.

  • The registration request must be approved on the Central Server:

    • This may be done automatically or manually, depending on the Central Server’s configuration.

    • If automatic, the status typically updates to “Registered” within a few minutes. Reload the Clients view to refresh the status.

3. Configure the Service

  1. Click the subsystem name to open its details.

Screenshot 2025-06-23 at 10.01.31.png

  1. Go to the Services tab.

    • You may configure the service even if the subsystem registration is not yet complete.

    • However, other X-Road members cannot invoke the service until both registration and service configuration are finalized.

Screenshot 2025-06-23 at 10.01.48.png

  1. Click Add REST.

Screenshot 2025-06-23 at 10.01.59.png

  1. In the Add REST service view:

    • Select OpenAPI3 Description as the URL type.

    • Enter the OpenAPI3 specification URL in the URL field (e.g., https://d14r9k0rinox9f.cloudfront.net/yaml/x-road-stats.yaml).

    • Enter the Service Code (e.g., TestAPI).

  2. Click Add.

Screenshot 2025-06-23 at 9.50.25.png

4. Enable and Verify the Service

  • The Security Server fetches and parses the OpenAPI description.

  • The service is added to the Services list but is disabled by default.

  • Enable it by toggling the switch on the right side of the service row.

Screenshot 2025-06-23 at 9.50.37.png

  • A notification “Service description enabled” will appear.

  • Click the “>” symbol on the left to expand service details.

Screenshot 2025-06-23 at 9.50.51.png

  • Click the Service Code to open the full details.

Screenshot 2025-06-23 at 9.51.03.png

5. Review and Edit the Service URL

  • The Service URL is extracted from the OpenAPI servers.url field.

  • This URL is where the Security Server forwards incoming requests.

  • If the parsed value is incorrect, it can be manually edited.

Screenshot 2025-06-23 at 9.51.16.png

6. TLS Certificate Handling

More information about the different TLS certificate verification configuration options is available in the Security Server User Guide.

  • By default, Verify TLS certificate is enabled.

    • This means the Security Server verifies the API’s TLS certificate.

    • To enable verification, upload the API's certificate in the Internal servers → Information System TLS certificate section.

  • If you prefer not to verify the TLS certificate:

    • Uncheck Verify TLS certificate.

    • In this case, no certificate upload is needed.

  • Click Save to apply the configuration.

Screenshot 2025-06-23 at 9.51.34.png

7. Configure Access Rights

More information about defining access rights is available in the Security Server User Guide.

  1. In the Access Rights section, click Add subjects.

  2. Click Search without entering any criteria to list all registered subsystems.

  3. Select the desired client subsystem(s) and click Add selected.

Screenshot 2025-06-23 at 9.52.05.png

  1. The selected subsystems now appear under Access Rights. It has access to all the endpoints that belong to the REST API.

Screenshot 2025-06-23 at 9.52.17.png

  1. Alternatively, instead of giving access to all the API endpoints, it’s possible to define access rights on an endpoint level. Open the Endpoints tab to view the list of endpoints parsed from the OpenAPI description and define access to them separately.

Screenshot 2025-06-23 at 10.40.27.png

  1. Click Close to return to the Services view.

Screenshot 2025-06-23 at 9.52.25.png

8. Upload TLS Certificate (If Needed)

  • If TLS verification is enabled, go to the Internal servers tab.

  • In the Information System TLS certificate section, click Add to upload the API’s TLS certificate.

Screenshot 2025-06-23 at 9.52.41.png

9. Testing the Service (Optional)

  • Go to the Security Server where the client subsystem is registered.

  • Go to the Internal Servers tab of the client subsystem.

  • Change the Connection type to HTTP (by default, the connection type is HTTPS).

The connection type HTTP is insecure and therefore, it should be used for testing purposes only. Instead, the connection type HTTPS should always be used in production.

When the connection type is HTTPS, the TLS client certificate of the consumer information system must be uploaded to the consumer Security Server. The certificate is uploaded under the client subsystem, in the Internal Servers tab, within the Information System TLS Certificate section.

More information about the different connection types is available in the Security Server User Guide.

Screenshot 2025-06-23 at 10.30.19.png

  • Send a test request to the client Security Server. For example:

curl -X GET \ -H 'X-Road-Client: TEST/GOV/1234/TestClient' \ 'http://<CLIENT_SECURITY_SERVER_HOST>:8080/r1/TEST/GOV/1234/TestService/TestAPI/instances'

  • Note: You have to use the same client and service identifiers that you used when configuring the client and service.

10. How to construct the service URL on the client Security Server (Example)?

  • For example, the base path of the REST API is https://api.stats.x-road.global/v1, and the API exposes an endpoint at /instances. When invoking the endpoint directly, the full request URL is:

https://api.stats.x-road.global/v1/instances

  • However, when invoking the same endpoint over X-Road, you must replace the REST API's base path with the client Security Server's REST interface URL and append the X-Road service identifier as path parameters, following this format:

http://<CLIENT_SECURITY_SERVER_HOST>:8080/r1/<INSTANCE_IDENTIFIER>/<MEMBER_CLASS>/<MEMBER_CODE>/<SUBSYSTEM_CODE>/<SERVICE_CODE>/<REST_API_ENDPOINT>

  • For example, the direct API endpoint:

https://api.stats.x-road.global/v1/instances

  • Becomes the following URL when invoked over X-Road when the service identifier is TEST/GOV/1234/TestService/TestAPI:

http://<CLIENT_SECURITY_SERVER_HOST>:8080/r1/TEST/GOV/1234/TestService/TestAPI/instances

 Related articles