IoT API for Developers — REST, gRPC, Real-Time | Kilo

Developers

One IoT API for everything you build

REST over standard HTTPS and JSON, gRPC where typed contracts matter, real-time streams over WebSocket and SSE — authenticated with scoped API keys and identical in the cloud and on-premise.

api.kiloiot.io

200 OK
$ curl -sS https://api.kiloiot.io/api/v2/devices \
    -H "X-API-Key: $KILO_API_KEY" \
    -H "X-Organization-Id: $KILO_ORG_ID"

A minimal authenticated request — two headers, standard HTTPS, JSON back.

Protocols

REST first, gRPC when you need it, streams for live data

Two protocols and real-time streams on the same secured endpoint — pick the surface that fits your integration and keep the same scoped keys.

The primary path

REST API

Standard HTTPS and JSON, usable from any HTTP client. Read device state and sensor history, manage dashboards and connections, work with rule definitions and their versions, and dispatch device commands — everything your key’s scopes allow.

  • HTTPS + JSON from any language or tool
  • Devices, sensors, dashboards, rules, commands
  • Documented endpoint by endpoint at api.kiloiot.io

The advanced path

gRPC API

A typed interface for service-to-service integration — generated clients and a stable contract, with the same scoped API-key authentication as REST. A natural fit for on-premise installations connecting internal systems.

  • Typed, generated clients
  • Service-to-service and on-premise integration
  • Same X-API-Key authentication as REST

No polling

Real-time streams

Live telemetry is available externally over WebSocket and Server-Sent Events (SSE) — the same mechanisms the platform’s own dashboards use — so external systems consume data as it arrives instead of polling for it.

  • WebSocket and SSE endpoints
  • The same streams the dashboards run on
  • Data as it arrives — no refresh cycles

Security

Scoped API keys, built for least privilege

Every request — REST or gRPC — authenticates with a scoped key in the X-API-Key header plus your organization in X-Organization-Id. Keys are created and managed in Settings → API Keys.

01

Read and Write scopes per area

Devices, sensors, dashboards, rules, commands, connections, and more — most areas split into separate Read and Write scopes, and a key grants only what you select at creation.

02

Shown once, rotated in one click

The full key value appears once at creation; only a short prefix stays visible afterward. Rotation issues a new value and deactivates the old key immediately — the only recovery path for a lost key.

03

Expiry, status, and last use

Give contractor or temporary keys an expiry date, and track every key’s status — Active, Rotated, or Revoked — along with the timestamp of its most recent call.

04

Organization isolation

A key belongs to the organization it was created in, and the organization on each request must match — one tenant’s key can never touch another tenant’s data.

Settings → API Keys

⚠ Copy this key now. You will not be able to see it again.

Name Scopes Status Last Used

wms-sync-prod

kilo_9f2…

Devices · ReadSensors · Read
Active 2026-07-01 14:32

analytics-pipeline

kilo_c41…

Dashboards · Read
Active 2026-07-01 09:05

ci-deploy-rules

kilo_77a…

Rules · Write
Rotated 2026-06-12 18:20

contractor-audit

kilo_e08…

Logs · Read
Revoked 2026-05-30 11:47

Managed in Settings → API Keys: one key per integration, scoped to exactly what it needs.

Deployment

The same IoT API in the cloud and on your own infrastructure

Integrations built against the cloud endpoint carry over unchanged to a self-hosted installation — one API surface, wherever the server runs.

Kilo Cloud

The managed endpoint: create a key in Settings → API Keys and start calling the API — no infrastructure of your own to run.

  • Managed, secured endpoint
  • Start free — no payment details
  • Full API reference at api.kiloiot.io

Kilo On-Premise

The same server, self-hosted inside your own network boundary — with the same REST and gRPC API and the same scoped keys, so nothing about your integrations changes.

  • Runs inside your network boundary
  • Identical API — integrations port unchanged
  • gRPC as a natural fit for internal service-to-service automation
Talk to us about on-premise

Open source

KiloCenter — the open-source mioty service center

KiloCenter is our open-source mioty service center, released under the AGPL license and developed in the open on GitHub. It runs the mioty side of your network as a product in its own right — built for developers who want to own their stack.

Integrate over gRPC and MQTT, deploy with Docker or Kubernetes, and connect it to whatever you run downstream.

Developers

Developer FAQ

How do I authenticate API requests?

Every request carries a scoped API key in the X-API-Key header (format kilo_<key>) plus your organization ID in X-Organization-Id. Keys are created in Settings → API Keys, and all traffic runs over TLS.

Should I use REST or gRPC?

Start with REST — it is the primary path and works from any HTTP client. Choose gRPC when you specifically need typed, generated clients or service-to-service integration, typically on-premise. Both authenticate the same way.

Can I get real-time data without polling?

Yes. Live streams are available over WebSocket and Server-Sent Events (SSE) — the same mechanisms the platform’s dashboards use internally — so your systems receive data as it arrives.

Is the API the same on an on-premise installation?

Yes. An on-premise installation exposes the same API within your own network boundary, so integrations built against the cloud carry over unchanged — and gRPC is a natural fit there for internal automation.

Start building on the Kilo IoT API

Create a free account, generate a scoped key, and make your first call in minutes — or book a call to plan an on-premise deployment.