Skip to main content
Version: 3.8.x

JATOS API

info

Using the JATOS API requires some advanced knowledge of HTTP and how to call APIs from e.g. a programming language or a terminal. If you just want to run a study with JATOS this is probably not what you need. Anything that you can do (programmatially) with the API can also be done (by hand) with JATOS' GUI.

Introduction

Since version 3.8.1 JATOS offers an (HTTP) API to make integrating JATOS into other tools easier. One common usage of the API is to call JATOS directly from Python, R, Matlab (or any other programming language) in an automated and programatic fashion.

Things that are possible with the API:

  • Import/export studies
  • Update your study by uploading/downloading/deleting single study assets files
  • Export results
  • Export study/componnent properties
  • Get study codes (to build study links that can be distributed to participants)

Have a look and try it out

You can even try out the API with your local JATOS. Here's how:

  1. Generate a token in your local JATOS. (The JATOS API uses personal access tokens with bearer authentication.)
  2. Copy your token
  3. Go to petstore.swagger.io. You'll see all API endpoints and their descriptions.
  4. At the top of the Swagger page, you'll find a green 'Authorize' button. Paste the JATOS token into Authorize -> Bearer Auth. Don't forget to click on Authorize.
  5. Choose the server http://localhost:9000 (probably already set)
  6. Try it out! (Click on each link to try the corresponding endpoint with pre-loaded defaults)

OpenAPI specification

The JATOS API uses OpenAPI 3 for specification. You can use petstore.swagger.io to have an easy navigatable page.

The API is work in progress (this is the first version). To request any additional endpoints, please write a GitHub issue.

Authentication

The JATOS API uses bearer authentication. It's pretty simple.

From swagger.io:

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name "Bearer authentication" can be understood as "give access to the bearer of this token." The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources.

Every HTTP request to the API needs this header (replace <token> with your token):

Authorization: Bearer <token>

And an example in different tools/languages with the endpoint /jatos/api/v1/admin/token that just returns some info about the used token:

curl -i -H "Authorization: Bearer jap_OeYwru727YeLzxcHSvIFlTQ52Ud03wo7cd41f" https://example.com/jatos/api/v1/admin/token

Personal access tokens

The JATOS API uses personal access tokens (PATs or API tokens).

From wikipedia:

a personal access token (or PAT) is a string of characters that can be used to authenticate a user when accessing a computer system instead of the usual password. Though associated with a single account, multiple PATs may be created, and can be manipulated independently of the password associated with that account, including creation and revocation of PATs without altering the password.

Unlike other systems (e.g. GitHub) JATOS' tokens have no roles or scopes. A token has the same access as the user they are associated with. Therefore, naturally, a token can only be used to access studies or their result data if the associated user is a member of this study. Only admin tokens (tokens associated with an admin user) can access the administration endpoints.

How to generate a token

Go to your user's page (click on your name in the top-right header). Then click the button API Tokens.

API token 1

In the pop-up window click the button New Token". Then choose a descriptive _name (doesn't have to be unique). Choose the time period when the token is about to expire. Click Generate.

API token 1

Now your token will be shown. Copy it to a safe place. It will never be shown to you again.

API token 1

In the token overview windows you can temporarily deactivate a token or delete it altogether.

API token 1

How to import a study

The endpoint to import a study, /jatos/api/v1/study, can be a bit tricky. It uses POST request with the header Content-Type: multipart/form-data to upload the a study archive file (JZIP) in binary format.

Here are some examples in different tools/languages. They all upload a JZIP file named test.jzip:

curl -X 'POST'   'https://example.com/jatos/api/v1/study'   -H 'accept: application/json' -H 'Authorization: Bearer jap_OeYwru727YeLzxcHSvIFlTQ52Ud03wo7cd41f'   -H 'Content-Type: multipart/form-data'   -F 'study=@test.jzip'

Deactivate the JATOS API

By default the API is activated and ready to use. If, for whatever reasons, you want to turn it off, edit the conf/jatos.conf (or conf/production.conf in version < 3.8.3) in the JATOS installation folder. Search for jatos.api.allowed and remove the #:

jatos.api.allowed = false