0.28.0
OAS 3.0.0

Lok API Reference

Overview

The Lok API is organized around REST, having resource-oriented URLs, accepts and returns JSON-encoded bodies, and uses standard HTTP response codes, authentication and verbs. Dates are in UTC time standard.

This API allows the integration of your company systems with the rental of lockers:

  • Get lockers locations and its availability
  • Manage reservations on your lockers
  • Get usage reports
  • Manage notifications settings

Authentication

Lok API uses OAuth scheme, using access tokens to authenticate requests. When you request access to Lok API, you will get a client_id and a client_secret. With these credentials you can get an access token which should be included in each request: 

GET /api/v2/some_resource HTTP/2
Host: api.clicknbox.com
Authorization: Bearer youraccesstoken

Your client credentials grant access for a trusted entity, so make sure you store them securely.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

User scopes

An access token has the scope of it's user. Each route has the following security scheme:

Every scope has the following allowed actions:

  • admin is the Lok administrator. Has read access to all reservations and lockers.
  • owner is the top-level user of the company. This scope grants access to all the lockers that are managed by your company.
  • employee grants access to one location only.
  • reporter grants read access to the lockers and reservations managed by your company.
  • seller similarly as an owner, is a top-level user who has access to Lok public network.

Errors

Lok uses conventional HTTP response codes to indicate the success or failure of an API request. However, the field status_code is always returned for redundancy.

Responses with status other than 2xx are error responses:

  • codes in the 4xx range indicate an error related to information provided
  • codes in the 5xx range indicate an error with Lok servers.

Whenever you get an error response, it will have the following properties:

  • type (string): The type of error returned.
  • message (string): A human-readable message providing more details about the error.
  • data (object): Some error types include additional details of the error.

Response example

{
  "status_code": 404,
  "type": "ENTITY_NOT_FOUND",
  "message": "Location not found",
  "data": {
     "id": "11446958822f"
  }
}

Error Types

Request errors

Type Description
NOT_FOUND Requested resource was not found
ENTITY_NOT_FOUND Requested entity was not found
INVALID_REQUEST Request was invalid: missing fields, wrong types or is semantically wrong

Authorization errors

Type Description
GRANT_TOKEN The Lok grant for the operation is invalid
INSUFFICIENT_SCOPE Authorization is insufficient
INVALID_CLIENT Client authentication failed
INVALID_GRANT Authorization is invalid, expired or revoked
INVALID_TOKEN Provided token is expired, revoked or invalid
UNAUTHORIZED_CLIENT The client is not authorized to use requested grant

Reservation errors

Type Description
INVALID_RESERVATION Requested operation cannot be applied to the reservation
UNIQUE_SHIPMENT Provided shipment id is already used within your company
BOX_INCOMPATIBLE Provided package dimensions are incompatible with our box types
NO_CAPACITY The location doesn't have a box available at the moment
LOCATION_LOCKED The location is temporarily locked
INVALID_DUE_DATE Provided delivery date is invalid or in the past

Logistic errors

Type Description
INVALID_ADDRESS Provided address is invalid, too abstract or has multiple matches

Lok server errors

Type Description
REQUEST_TIMEOUT We were unable to sync the data with the locker
UNKNOWN_ERROR An unexpected exception on Lok servers

Third-party errors

Type Description
FAILED_DEPENDENCY We were unable to complete the transaction with an external vendor

Webhook

A Webhook is a callback URL to which our systems send the different events related to your reservations. On each call you can notify your user or operations team and create reports of events.

You can manage your company's webhook settings and subscribe to specific events only or enable/disable it. When adding your webhook for the first time, a secret will be generated that you can use later to validate incoming requests.

Set up a webhook

Data will be sent via HTTP POST method in JSON format and UTF-8 encoding. To confirm that you received a notification successfully, your server must return a 200 (OK) HTTP status code, any other status will be treated as an error and the request will be retried up to 50 times in increasing intervals.

Example with javascript:

var data = typeof req.body == 'string' ? JSON.parse(req.body) : req.body;

if (data.status == 'picked_up') {
var reservation_id = data.reservation_id;
//...
}

Notification payload

The information of the notification will have the following structure:

{
  "reservation_id": "5ccc9e33a97e2f8226ba36d2",
  "shipment_id": "Order 557",
  "status": “delivered”,
  "status_message": "Package received in the locker",
  "t": 1614202849096,
}

reservation_id

  • Type: String
  • Description: The reservation identifier that should be used in subsequent API calls

shipment_id

  • Type: String
  • Description: Identifier that the company assigned to the reservation

status

  • Type: String
  • Description: Current status of the reservation. Possible values are:
    • reserved: Reservation creation confirmation. This event is triggered whenever a new reservation is created or a pre-reservation is confirmed.
    • undelivered: Package waiting to be delivered
    • delivered: Package delivered in the locker
    • unpicked: Package waiting to be picked up
    • reopened: Package first alteration in the locker
    • reopened2: Second package alteration in the locker
    • cancelled: Reservation cancelled confirmation. This event is triggered either with an API cancellation or by using the cancellation token.
    • picked_up: Package was picked up

status_message

  • Type: String
  • Description: Human-readable description of the status

t

  • Type: Number
  • Description: Event triggered timestamp

The undelivered and unpicked events are notified daily until the package is delivered or picked up, respectively.

Notification signature

To verify that the request came from our servers, you can validate the body using the secret granted upon webhook creation: 

const crypto = require('crypto');

const hmac = crypto.createHmac('sha256', YOUR_WEBHOOK_SECRET);

hmac.update(req.body);
const signature = hmac.digest('base64');

and compare signature against Lok-Signature header.

OAuth 2.0 (oauth2)
Client Libraries
Shell
Ruby
Node.js
PHP
Python
More
cURL Shell

OAuth2

Endpoints
GET/oauth/tokenPOST/oauth/tokenDELETE/oauth/tokenGET/oauth/user

Validates token

Responses
  • 200

    Access token granted

  • 401

    Authorization is invalid

GET/oauth/token
Shell cURL
curl --request GET \
  --url https://gateway-dev.chazki.com/api/v2/oauth/token

{
  "status_code": 200,
  "access_token": "…",
  "access_token_expires_at": "2025-05-06",
  "scope": "…"
}

Access token granted

Get an access token

Machine-to-machine authentication

Body
application/x-www-form-urlencoded
grant_type
required
const: 
client_credentials
client_id
required
string
client_secret
required
string
Responses
  • 200

    Access token granted

  • 400

    Bad Request

  • 401

    Authorization is invalid

POST/oauth/token
Client credentials grant
POST /api/v2/oauth/token HTTP/2
Host: api.clicknbox.com
Content-Type: application/x-www-form-urlencoded

grant_type:client_credentials
client_id:your-client-id
client_secret:your-client-secret

{
  "status_code": 200,
  "access_token": "…",
  "access_token_expires_at": "2025-05-06",
  "scope": "…"
}

Access token granted

Revoke an access token

Responses
  • 200

    Successful

  • 401

    Authorization is invalid

DELETE/oauth/token
Shell cURL
curl --request DELETE \
  --url https://gateway-dev.chazki.com/api/v2/oauth/token

{
  "status_code": 200,
  "message": "…"
}

Successful

Get authenticated user

Returns information about the user to whom the access token belongs to

Responses
  • 200

    Successful

  • 401

    Authorization is invalid

GET/oauth/user
Shell cURL
curl --request GET \
  --url https://gateway-dev.chazki.com/api/v2/oauth/user

{
  "status_code": 200,
  "user": {
    "id": "…",
    "name": "…",
    "email": "…",
    "company": {
      "id": "…",
      "name": "…"
    },
    "location": "…",
    "scope": "…",
    "created_at": "2025-05-06",
    "updated_at": "2025-05-06"
  }
}

Successful

Firmware

Communication with master and slave rpi

Health

Location

Endpoints
GET/company/locationsGET/company/locations/{location_id}POST/locations/available

Locations

Towers

Reservation

Endpoints
GET/company/reservationsGET/reservations/{reservation_id}GET/locations/{location_id}/reservations

Reservation

Reservation operations available for locations with Cloud model

Endpoints
GET/company/reservationsGET/reservations/{reservation_id}DELETE/reservations/{reservation_id}GET/locations/{location_id}/reservationsPOST/locations/{location_id}/reservations

Pre-reservation

A pre-reservation allows you to request a locker box ahead of time. Lok tries to hold an available space based on the information passed, but there is no guarantee that the reservation will be able to be completed. A pre-reservation does not need all of the package information on creation and can be updated when you know more about delivery date and package's dimensions.

Endpoints
GET/company/pre_reservationsPUT/reservations/{reservation_id}POST/locations/{location_id}/pre_reservation

Shipment

Logistic services allow you to request a shipping for a pre-reservation. When you are ready to ship the package, you can quote the shipping and request the tracking number. The package's weight is required for this operations since the carrier costs depend on it.

Endpoints
GET/shipping/reservationsGET/reservations/{reservation_id}/labelPOST/shipping_orderPOST/locations/{location_id}/shippingPOST/reservations/{reservation_id}/shippingPOST/reservations/{reservation_id}/shipping/quotation

Addresses

Manage recurrent addresses used for logistic services

Directories

Manage locker directories

Endpoints
GET/company/directoriesPOST/company/directoriesGET/company/directories/{directory_id}PUT/company/directories/{directory_id}POST/company/directories/csvPUT/company/directories/{directory_id}/contacts

Notifications

Available notifications

Geocoding

Google Geocoding API operations

Company Notification

E-mails for operator and administrator of the company to whom the tokens of each reservation should be sent.

Endpoints
GET/company/notification_emailsPUT/company/notification_emails

Reports

Available reports on company activity. All reports are in CSV format.

Endpoints
GET/company/action_logsGET/company/action_logs/csvGET/company/reports/recent_activity

Settings

Catalogue of Lok settings

Companies

Companies management

Webhook

Company webhook settings

Endpoints
GET/company/webhookPUT/company/webhookPUT/company/webhook/status

Mailing

Available mailing actions

User permissions

User API credentials and applications management

Model1

{} Model1
resource
string
status
number
user_email
string
referer
string
origin
string
timestamp
string date

full-date notation as defined by RFC 3339, section 5.6, for example, 2017-07-21

payload
string

action_logs

[] action_logs
array object[]

Model2

{} Model2
action_logs
array object[]
  • Global Environment
    { "exampleKey": "exampleValue" }
  • Global Environment
    { "exampleKey": "exampleValue" }
Response
.,,uod8B8bou,,. ..,uod8BBBBBBBBBBBBBBBBRPFT?l!i:. ||||||||||||||!?TFPRBBBBBBBBBBBBBBB8m=, |||| '""^^!!||||||||||TFPRBBBVT!:...! |||| '""^^!!|||||?!:.......! |||| ||||.........! |||| ||||.........! |||| ||||.........! |||| ||||.........! |||| ||||.........! |||| ||||.........! ||||, ||||.........` |||||!!-._ ||||.......;. ':!|||||||||!!-._ ||||.....bBBBBWdou,. bBBBBB86foi!|||||||!!-..:|||!..bBBBBBBBBBBBBBBY! ::!?TFPRBBBBBB86foi!||||||||!!bBBBBBBBBBBBBBBY..! :::::::::!?TFPRBBBBBB86ftiaabBBBBBBBBBBBBBBY....! :::;`"^!:;::::::!?TFPRBBBBBBBBBBBBBBBBBBBY......! ;::::::...''^::::::::::!?TFPRBBBBBBBBBBY........! .ob86foi;::::::::::::::::::::::::!?TFPRBY..........` .b888888888886foi;:::::::::::::::::::::::..........` .b888888888888888888886foi;::::::::::::::::...........b888888888888888888888888888886foi;:::::::::......`!Tf998888888888888888888888888888888886foi;:::....` '"^!|Tf9988888888888888888888888888888888!::..` '"^!|Tf998888888888888888888888889!! '` '"^!|Tf9988888888888888888!!` iBBbo. '"^!|Tf998888888889!` WBBBBbo. '"^!|Tf9989!` YBBBP^' '"^!` `
    Go Home