Developers
One IoT API for everything you build
REST over standard HTTPS and JSON, gRPC where typed contracts matter, real-time streams over WebSocket and SSE — authenticated with scoped API keys and identical in the cloud and on-premise.
api.kiloiot.io
200 OK$ curl -sS https://api.kiloiot.io/api/v2/devices \
-H "X-API-Key: $KILO_API_KEY" \
-H "X-Organization-Id: $KILO_ORG_ID" A minimal authenticated request — two headers, standard HTTPS, JSON back.
Protocols
REST first, gRPC when you need it, streams for live data
Two protocols and real-time streams on the same secured endpoint — pick the surface that fits your integration and keep the same scoped keys.
The primary path
REST API
Standard HTTPS and JSON, usable from any HTTP client. Read device state and sensor history, manage dashboards and connections, work with rule definitions and their versions, and dispatch device commands — everything your key’s scopes allow.
- HTTPS + JSON from any language or tool
- Devices, sensors, dashboards, rules, commands
- Documented endpoint by endpoint at api.kiloiot.io
The advanced path
gRPC API
A typed interface for service-to-service integration — generated clients and a stable contract, with the same scoped API-key authentication as REST. A natural fit for on-premise installations connecting internal systems.
- Typed, generated clients
- Service-to-service and on-premise integration
- Same X-API-Key authentication as REST
No polling
Real-time streams
Live telemetry is available externally over WebSocket and Server-Sent Events (SSE) — the same mechanisms the platform’s own dashboards use — so external systems consume data as it arrives instead of polling for it.
- WebSocket and SSE endpoints
- The same streams the dashboards run on
- Data as it arrives — no refresh cycles
Security
Scoped API keys, built for least privilege
Every request — REST or gRPC — authenticates with a scoped key in the X-API-Key header plus your organization in X-Organization-Id. Keys are created and managed in Settings → API Keys.
Read and Write scopes per area
Devices, sensors, dashboards, rules, commands, connections, and more — most areas split into separate Read and Write scopes, and a key grants only what you select at creation.
Shown once, rotated in one click
The full key value appears once at creation; only a short prefix stays visible afterward. Rotation issues a new value and deactivates the old key immediately — the only recovery path for a lost key.
Expiry, status, and last use
Give contractor or temporary keys an expiry date, and track every key’s status — Active, Rotated, or Revoked — along with the timestamp of its most recent call.
Organization isolation
A key belongs to the organization it was created in, and the organization on each request must match — one tenant’s key can never touch another tenant’s data.
Settings → API Keys
⚠ Copy this key now. You will not be able to see it again.
| Name | Scopes | Status | Last Used |
|---|---|---|---|
| wms-sync-prod kilo_9f2… | Devices · ReadSensors · Read | Active | 2026-07-01 14:32 |
| analytics-pipeline kilo_c41… | Dashboards · Read | Active | 2026-07-01 09:05 |
| ci-deploy-rules kilo_77a… | Rules · Write | Rotated | 2026-06-12 18:20 |
| contractor-audit kilo_e08… | Logs · Read | Revoked | 2026-05-30 11:47 |
Managed in Settings → API Keys: one key per integration, scoped to exactly what it needs.
Deployment
The same IoT API in the cloud and on your own infrastructure
Integrations built against the cloud endpoint carry over unchanged to a self-hosted installation — one API surface, wherever the server runs.
Kilo Cloud
The managed endpoint: create a key in Settings → API Keys and start calling the API — no infrastructure of your own to run.
- Managed, secured endpoint
- Start free — no payment details
- Full API reference at api.kiloiot.io
Kilo On-Premise
The same server, self-hosted inside your own network boundary — with the same REST and gRPC API and the same scoped keys, so nothing about your integrations changes.
- Runs inside your network boundary
- Identical API — integrations port unchanged
- gRPC as a natural fit for internal service-to-service automation
Open source
KiloCenter — the open-source mioty service center
KiloCenter is our open-source mioty service center, released under the AGPL license and developed in the open on GitHub. It runs the mioty side of your network as a product in its own right — built for developers who want to own their stack.
Integrate over gRPC and MQTT, deploy with Docker or Kubernetes, and connect it to whatever you run downstream.
Developers
Developer FAQ
How do I authenticate API requests?
Every request carries a scoped API key in the X-API-Key header (format kilo_<key>) plus your organization ID in X-Organization-Id. Keys are created in Settings → API Keys, and all traffic runs over TLS.
Should I use REST or gRPC?
Start with REST — it is the primary path and works from any HTTP client. Choose gRPC when you specifically need typed, generated clients or service-to-service integration, typically on-premise. Both authenticate the same way.
Can I get real-time data without polling?
Yes. Live streams are available over WebSocket and Server-Sent Events (SSE) — the same mechanisms the platform’s dashboards use internally — so your systems receive data as it arrives.
Is the API the same on an on-premise installation?
Yes. An on-premise installation exposes the same API within your own network boundary, so integrations built against the cloud carry over unchanged — and gRPC is a natural fit there for internal automation.
Start building on the Kilo IoT API
Create a free account, generate a scoped key, and make your first call in minutes — or book a call to plan an on-premise deployment.