REST services

Onemap uses the Open Api spec, which can be viewed at E.g.


To allow access to rest endpoint with ajax, we add a Access-Control-Allow-Origin header to all GET requests. Non-GET get requests like POST, PUT, DELETE will not have CORS headers in the response. You need to make this type of requests from a server. More informatie about CORS can be read at MDN.

Authentication with JWT

The API supports JSON Web Tokens (JWT) for authentication. JWT is an industry standard to send information in a secure way.

  • When using the Onemap viewer javascript library for a non-public map, you need to obtain a JWT token of a user without Admin permission. The javascript libnrary uses this token to authenticate all requests with Onemap (eg to get the map config).
  • When using any other REST api endpoint, you need to add a jwt token to every request yourself. You should should never publish (eg in javascript) a token of an admin user!


The following request will have a jwt token in its response:

    curl -X POST -H "Content-Type: application/json" http://localhost:8000/api/login_check -d '{"username":"johndoe","password":"test"}'

The response body looks like:

    "token" : "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0MzQ3Mjc1MzYsInVzZXJuYW1lIjoia29ybGVvbiIsImlhdCI6IjE0MzQ2NDExMzYifQ.nh0L_wuJy6ZKIQWh6OrW5hdLkviTs1_bau2GqYdDCB0Yqy_RplkFghsuqMpsFls8zKEErdX5TYCOR7muX0aQvQxGQ4mpBkvMDhJ4-pE4ct2obeMTr_s4X8nC00rBYPofrOONUOR4utbzvbd4d2xT_tj4TdR_0tsr91Y7VskCRFnoXAnNT-qQb7ci7HIBTbutb9zVStOFejrb4aLbr7Fl4byeIEYgp2Gd7gY"

Use the mentoined api documentation to test your requests. This token can be used for all REST API calls, so be careful when using a generic user to authenticate.

Use a token with limited permissions when embedding the viewer in your website!

Multiple keys for the same user can be used at the same time. A key is valid for 2 hours, an invalid key results in a 401 response.

Sending a token with REST requests

The javascript viewer will automatically add a JWT token when calling a Onemap REST service, once set with the applicable API method (wgp.setJwtToken).

If you are using the rest service directly, you need to add the token to your requests in the HTTP header:

    const headers = new Headers();
    const jwtToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE1NDA0NzU3NzQsImV4cCI6MTU0MDQ3OTM3NCwidXNlcm5hbWUiOiJhZG1pbiJ9.N74CvMlSv17X7i_KPpB9_-dIAQOk_WlFGpY80FKkUmVUOc1lpVquKkdMc9IjE4FAjfbltIDqRuyf46s8PmH42MaLu2XKFWsxsBXLjyEd4L66uE6I8CNAyseovPVfMxuC0ccxIuRG-DXaUuakOYauECBnzvnm7zADrC-BHtMK6ybEYAdQGCHwOvzMO_C6gKs2tHyYORnZLyZpm7vWYW-FfeRXYAE5FF6rg4xtFy5nG0_9Z7Xumn7W12Wq9fngidXRWLWtnz_M2-uhX98hKCd2tmLq8ZMSyHdDZ1LlgbEhBBgH1BT-hrowxnSmHjj7Ha9Aw98P0PkwEnABn-Nz4PimB9mBATdcYp64mAznOX_DmarVGFGpM1Un5zWSiPZkWfm0BTP1vvvmV7mpaTuZ455kH8dww0KHTSxmlSrzsGF-_E19POuY1_bNoVF1C9lHXepdrBmB4Q7aOsimnSBUPS3k9eFTkVFxWKEUXeuXyU2Np7VkwoXPG1i5I-JxJfxEx5Za4qewSb8NErBFnp6cCaJ9UwRcqFaGJoAZw3wffNTznIz3CSyaGR-8F8Kr3ma_rrGkzocDnEZcwSSBULQM_siVWW2oolyd-fx4bY71wCsYpD-f9UlQGRe2RuTQ2T8Cxt16d_ciCz4uqwrWdKdBgJfuddNmlRy7bcCAiWt0ArrTyWA'
    headers.set('Authorization', `Bearer {jwtToken}`)
    fetch('http://localhost:8080/api/v1/mapservices', { headers });