ACT365 (www.act365.eu) is the cloud-based access control system supported by Vanderbilt International. This API allows third-party developers to control customer access control systems and perform important activities including commanding doors, registering controllers, reviewing log events, viewing muster reports, creating/editing cardholders, and more.
- Installers: Manage physical infrastructure including controllers, doors, and cameras
- Customers: End-users for the access control system
Access to the API is restricted to valid service user logins (defined within www.act365.eu only).
- Set the
Accept-LanguageHTTP header to the desired culture (e.g.,fr-FR) - Some API calls require location headers:
locationLatitudeandlocationLongitude
Endpoint: POST https://userapi.act365.eu/api/account/login
Description: Performs the login, which must be the first action taken.
Request Format: application/x-www-form-urlencoded
Parameters:
email(string): Valid service user emailpassword(string): Valid service user password
Response:
{
"access_token": "string",
"token_type": "string",
"expires_in": 86400,
"userName": "string",
".issued": "datetime",
".expires": "datetime"
}Notes:
- Valid access tokens last for 24 hours
- Login API calls are limited to 1 per minute
- Must be the first API call made
- Token must be passed in
Authorization: Bearer {token}header for all subsequent requests
Vanderbilt implements API throttling to ensure optimal service for all users.
Throttling Behavior:
- Excessive usage triggers HTTP 429 (Too Many Requests)
- Implemented on a per-user basis for 1 second/minute/hour/day/week time windows
- Usage monitoring is cumulative within each time window
Response Headers:
Retry-After: Number of seconds to wait before retryingRate-Limit: Active rate limit for the callRate-Period: Time window type ("Second", "Minute", "Hour", "Day", "Week", "Concurrent")
Endpoint: GET /api/summary
Description: Lists customers and sites with ACU counts and muster information.
Response:
- For installers: Lists all customers and sites
- For customers: Returns only their own details
- Includes
musteredcardholders (currently on the specified site) - Returns
ServiceUserType("Installer" or "Customer")
Endpoint: GET /api/customers
Description: Retrieves all customer details.
Response:
- For installers: Details on all available customers
- For customers: Only their own details
- Includes location coordinates with
LocationAccurateflag - Address and contact details may be empty or null
Endpoint: GET /api/sites
Query Parameters:
customerid(optional): Filter by specific customer
Description: Gets list of all available sites.
Endpoint: GET /api/sites/{siteid}
Parameters:
siteid(required): Site ID
Description: Returns information for a specific site.
Endpoint: POST /api/lockdown/activate
Description: Activates site lockdown (requires door group configuration).
Endpoint: POST /api/lockdown/clear
Description: Clears site lockdown.
Endpoint: POST /api/lockdown/command
Description: Issues lockdown command to configured door group.
Endpoint: GET /api/acus
Query Parameters:
customerid(optional): Filter by customersiteid(optional): Filter by site
Description: Gets all registered ACUs for the installer or customer.
Endpoint: GET /api/acus/{acuid}
Parameters:
acuid(required): Controller ID
Description: Returns individual ACU details.
Endpoint: POST /api/acus
Request Body:
{
"customerid": "integer",
"siteid": "integer",
"cuid": "string",
"name": "string"
}Description: Registers a new ACU (installers only).
Notes:
- CUID is the unique ID printed on the ACU
- A default door named "Door {ACU}" is created automatically
- ACU must be properly configured, powered, and internet-connected to come online
Endpoint: DELETE /api/acus/{acuid}
Parameters:
acuid(required): ACU ID
Requires Location Headers: May be required if customer requested additional security
Description: Unregisters an ACU and its associated doors.
Notes:
- Necessary before moving an ACU to another site
Endpoint: GET /api/doors
Query Parameters:
siteid(optional): Filter by sitecustomerid(optional): Filter by customer
Description: Gets list of doors (directly associated with ACUs).
Field Prefixes:
- "TZ" prefix refers to ACT timezones
- All time fields in seconds
Door Operation Options (bit-mapped):
- None = 0, OptLockSaver = 1, OptSilent = 2, OptChime = 4, OptFreeExit = 8, OptInterlock = 16, OptExitButton = 32, OptPinRequiredOnExit = 64, OptPir = 128, OptFailsafe = 256, OptToggle = 512, OptIntruderPanel = 1024, OptAccessOnly = 2048, OptBreakglass = 4096, OptTamper = 8192, OptMainsFault = 16384, OptContactMonitoring = 32768, OptUnlockFirstAccess = 65536, OptPinSearchAllCardholders = 131072
Auxiliary Options (bit-mapped):
- OptAuxActivateAjar = 1, OptAuxActivateForced = 2, OptAuxActivateOpen = 4, OptAuxActivateDenied = 8, OptAuxActivateGranted = 16, OptAuxActivateDuress = 32, OptAuxActivateExitGranted = 64, OptAuxActivateExitDenied = 128, OptAuxActivateFollowMainRelay = 256, OptAuxActivateArmIntruderPanel = 512, OptAuxActivateBreakglass = 1024
Logging Options (bit-mapped):
- OptLogForced = 1, OptLogReadErrors = 2, OptLogExitButton = 4, OptLogOpen = 8, OptLogClose = 16, OptLogDoorAjar = 32
Endpoint: GET /api/doors/{doorid}
Parameters:
doorid(required): Door ID
Description: Returns individual door details.
Endpoint: GET /api/doors/cardholder/{cardholderid}
Parameters:
cardholderid(required): Cardholder ID
Description: Returns the set of doors a cardholder can access.
Endpoint: POST /api/doors/{doorid}/command
Parameters:
doorid(required): Door IDcommand(required): "Pass", "Normalise", "Lock", or "Unlock"
Requires Location Headers: May be required if customer requested additional security
Description: Issues a command to a door.
Endpoint: POST /api/doors/command
Request Body:
{
"doors": ["integer"],
"command": "string"
}Parameters:
doors(array): Array of door IDscommand(string): "Pass", "Normalise", "Lock", or "Unlock"
Requires Location Headers: May be required if customer requested additional security
Description: Issues commands to multiple doors (only valid, enabled, and connected doors receive commands).
Endpoint: GET /api/doorgroups
Query Parameters:
siteid(optional): Filter by sitecustomerid(optional): Filter by customer
Description: Gets door groups for a customer and/or site.
Notes:
- Every site has an "All Doors" door group (IsEditable=false)
- Every customer has "All Doors" for all sites (IsEditable=false)
- "No Doors" door group exists system-wide (IsEditable=false)
Endpoint: GET /api/doorgroups/{doorgroupid}
Parameters:
doorgroupid(required): Door group ID
Description: Returns individual door group details (customers only).
Endpoint: POST /api/doorgroups
Request Body:
{
"siteid": "integer",
"customerid": "integer",
"name": "string",
"doors": ["integer"],
"timezones": ["integer"]
}Description: Adds new door group to the site.
Notes:
- Site and customer IDs are compulsory
- Doors list must be accessible for the site
- Empty doors list not accepted
- Returns new ID in response
- Wait 30 seconds before updating after creation
Endpoint: PUT /api/doorgroups/{doorgroupid}
Description: Updates existing door group (all fields updated).
Notes:
- Wait 30 seconds before updating after creation
Endpoint: DELETE /api/doorgroups/{doorgroupid}
Parameters:
doorgroupid(required): Door group ID
Description: Deletes door group (ID cannot be reused).
Endpoint: GET /api/cameras
Query Parameters:
siteid(optional): Filter by sitedoorid(optional): Filter by door
Description: Returns cameras available for viewing.
Response:
LiveFeed: Contains HLS stream URL (Apple) and DASH stream URL (Android/Desktop)DeviceStatus: Indicates if camera is online or offline
Endpoint: GET /api/events/muster
Query Parameters:
siteid(required): Site ID
Description: Provides list of all cardholders currently on a customer's site.
Endpoint: POST /api/events/cardholder/{cardholderid}/checkout
Parameters:
cardholderid(required): Cardholder ID
Requires Location Headers: May be required if customer requested additional security
Description: Removes cardholder from muster report (when safely off-site).
Endpoint: POST /api/events/cardholder/{cardholderid}/checkin
Parameters:
cardholderid(required): Cardholder IDsiteid(required): Preferred site ID
Requires Location Headers: May be required if customer requested additional security
Description: Manually checks cardholder into specified site.
Endpoint: GET /api/events
Query Parameters:
siteid(required): Site ID
Description: Gets most recent log events for a site (shorter version).
Notes:
- Ordered by Time descending by default
Endpoint: GET /api/events/cardholder-group/{cardholdergroup}
Parameters:
cardholdergroup(required): Cardholder group ID
Description: Gets log events for a specific cardholder group (longer version).
Endpoint: GET /api/events/cardholder/{cardholderid}
Parameters:
cardholderid(required): Cardholder ID
Description: Gets log events for specified cardholder (ordered by Time descending).
Endpoint: GET /api/events/door/{doorid}
Parameters:
doorid(required): Door ID
Description: Gets log events for specific door (ordered by Time descending).
Endpoint: GET /api/events/door-group/{doorgroupid}
Parameters:
doorgroupid(required): Door group ID
Description: Gets log events for specific door group (ordered by Time descending).
Endpoint: GET /api/events/site/{siteid}
Parameters:
siteid(required): Site ID
Description: Gets full-format log events for a site (ordered by Time descending).
Endpoint: GET /api/events/category/{category}
Parameters:
category(required): Event category number
Valid Categories:
- 1 = Alarm, 2 = Warning, 3 = Information, 4 = Normal, 5 = Access, 6 = Exit, 7 = Granted, 8 = Denied, 9 = Controller, 10 = Door, 11 = System, 12 = Camera, 13 = DVR, 14 = Video, 15 = Recording
Description: Gets full-format log events for specified category (ordered by Time descending).
Endpoint: GET /api/events/alarms
Query Parameters:
siteid(required): Site ID
Description: Gets most recent alarm log events for specified site (ordered by Time descending).
Endpoint: GET /api/cardholders
Query Parameters:
siteid(optional): Filter by sitecustomerid(optional): Filter by customer
Description: Provides list of cardholders (ordered by last name).
Endpoint: GET /api/cardholders/{cardholderid}
Parameters:
cardholderid(required): Cardholder ID
Description: Returns individual cardholder details.
Endpoint: GET /api/cardholders/external/{externalid}
Parameters:
externalid(required): External ID
Description: Returns cardholder by external ID.
Endpoint: POST /api/cardholders
Request Body:
{
"siteid": "integer",
"customerid": "integer",
"forename": "string",
"surname": "string",
"startValid": "dd/MM/yyyy HH:mm",
"endValid": "dd/MM/yyyy HH:mm",
"pin": "string",
"cards": ["string"],
"cardholderGroupId": "integer",
"externalId": "string"
}Description: Adds new cardholder at specified site.
Notes:
- siteid and customerid are compulsory
- Forename and Surname should be supplied
- StartValid and EndValid are optional (limit validity period)
- Card numbers must be unique
- Cards array allows maximum of 4 cards (takes precedence over Card1/Card2)
- One cardholder group per site + one all-sites level
- Returns new cardholder ID in response
- Wait 30 seconds before updating after creation
Endpoint: PUT /api/cardholders/{cardholderid}
Description: Updates existing cardholder (all fields updated).
Notes:
- Wait 30 seconds before updating after creation
Endpoint: DELETE /api/cardholders/{cardholderid}
Parameters:
cardholderid(required): Cardholder ID
Description: Deletes cardholder (disables card and removes from list).
Endpoint: DELETE /api/cardholders
Query Parameters:
customerID(required): Customer ID- Other filter parameters (optional)
Description: Deletes up to 100 cardholders matching parameters.
Notes:
- Date formats: "yyyy-MM-dd HH:mm", "yyyy-MM-dd HH:mm:ss", or "yyyy-MM-dd HH:mm:ss.fff"
Endpoint: DELETE /api/cardholders/bulk
Request Body:
{
"ids": ["integer"]
}Description: Deletes up to 100 cardholders by ID list.
Notes:
- ItemResults shows success status per cardholder
Endpoint: POST /api/cardholders/bulk
Request Body:
[
{
"siteid": "integer",
"customerid": "integer",
"forename": "string",
"surname": "string",
"startValid": "dd/MM/yyyy HH:mm",
"endValid": "dd/MM/yyyy HH:mm",
"pin": "string",
"cards": ["string"]
}
]Description: Creates up to 100 new cardholders.
Notes:
- Returns ItemResults list with success flag and created ID for each
- Overall Success flag indicates if all were added successfully
Endpoint: POST /api/cardholders/{cardholderid}/enable or /disable
Parameters:
cardholderid(required): Cardholder ID
Requires Location Headers: May be required if customer requested additional security
Description: Enables or disables cardholder access rights.
Endpoint: POST /api/cardholders/enable or /disable
Request Body:
{
"ids": ["integer"]
}Description: Enables/disables multiple cardholders.
Notes:
- Returns sorted list with ItemResult success information
Endpoint: GET /api/cardholders/randompin
Query Parameters:
siteid(required): Site IDcustomerid(required): Customer ID
Description: Returns a random PIN unique for the customer/site.
Endpoint: POST /api/cardholders/{cardholderid}/switchsite
Parameters:
cardholderid(required): Cardholder IDnewsiteid(required): New site ID
Description: Moves cardholder to be managed by different site.
Endpoint: POST /api/cardholders/{cardholderid}/photo
Parameters:
cardholderid(required): Cardholder ID- Binary image file attachment
Content-Type: multipart/form-data
Description: Updates cardholder photograph.
Endpoint: GET /api/cardholders/{cardholderid}/photo
Parameters:
cardholderid(required): Cardholder ID
Description: Retrieves cardholder photograph.
Endpoint: GET /api/cardholders/{cardholderid}/photo/thumbnail
Parameters:
cardholderid(required): Cardholder ID
Description: Retrieves cardholder photograph thumbnail.
Endpoint: GET /api/cardholdersgroups
Query Parameters:
customerid(optional): Filter by customersiteid(optional): Filter by site
Description: Provides list of all cardholder groups.
Notes:
- MaxPinLength is read-only
Endpoint: GET /api/cardholdersgroups/{cardholdergroupid}
Parameters:
cardholdergroupid(required): Cardholder group ID
Description: Returns individual cardholder group details.
Endpoint: POST /api/cardholdersgroups
Request Body:
{
"siteid": "integer",
"customerid": "integer",
"name": "string",
"doorgroups": ["integer"],
"timezones": ["integer"]
}Description: Adds new cardholder group to site.
Notes:
- siteid and customerid are compulsory
- Timezones and door groups must be from same site or all-sites level
- Returns new ID in response
- Wait 30 seconds before updating after creation
Endpoint: PUT /api/cardholdersgroups/{cardholdergroupid}
Description: Updates existing cardholder group (all fields updated).
Notes:
- Wait 30 seconds before updating after creation
Endpoint: DELETE /api/cardholdersgroups/{cardholdergroupid}
Parameters:
cardholdergroupid(required): Cardholder group ID
Description: Deletes cardholder group (ID cannot be reused).
Timezones define time periods within which access can be granted/denied to cardholders.
Endpoint: GET /api/timezones
Query Parameters:
customerid(optional): Filter by customersiteid(optional): Filter by site
Description: Provides list of all timezones.
Default System Timezones:
- "24 Hours": Provides access all day (system-managed, not editable)
- "No Timezone": Specifies no access (system-managed, not editable)
Time Period Format:
- Days of week (bit-mapped): Sunday=1, Monday=2, Tuesday=4, Wednesday=8, Thursday=16, Friday=32, Saturday=64
- Holiday types (bit-mapped): Type 1=1, Type 2=2, etc.
- Times: "HH:mm" format (00:00 to 23:59)
- Interpreted as local time by ACU
Notes:
- siteid of 0 specifies all-sites timezone (shareable across customer sites)
Endpoint: GET /api/timezones/{timezoneid}
Parameters:
timezoneid(required): Timezone ID
Description: Returns individual timezone details (customers only).
Endpoint: POST /api/timezones
Request Body:
{
"siteid": "integer",
"customerid": "integer",
"name": "string",
"timePeriods": [
{
"startTime": "HH:mm",
"endTime": "HH:mm",
"daysOfWeek": "integer",
"holidayTypes": "integer"
}
]
}Description: Adds new timezone to customer/site.
Endpoint: PUT /api/timezones/{timezoneid}
Description: Updates existing timezone.
Notes:
- Wait 30 seconds before updating after creation
Endpoint: DELETE /api/timezones/{timezoneid}
Parameters:
timezoneid(required): Timezone ID
Description: Deletes timezone.
Restrictions:
- Cannot delete if used by cardholder group
- Cannot delete if IsEditable=false
WebHook support for log events (requires secret token in API Settings).
Endpoint: POST /api/webhooks
Request Body:
{
"siteid": "integer",
"customerid": "integer",
"url": "string"
}Description: Registers WebHook for Site or Customer.
Notes:
- One WebHook per Site + one for Customer
- Expires 5 minutes after user session expires
- Recommend registering after each login
- No Site ID = all customer events (ID starts with 'c' + customerID)
- With Site ID = site-specific events (ID starts with 's' + siteID)
Endpoint: DELETE /api/webhooks/{webhookid}
Parameters:
webhookid(required): WebHook ID
Description: Unregisters WebHook for Site or Customer.
Endpoint: GET /api/webhooks
Query Parameters:
customerid(optional): Filter by customersiteid(optional): Filter by site
Description: Retrieves registered WebHooks.
Endpoint: GET /api/video/segmenter
Description: Captures diagnostic information about Segmenter server state.
Response Fields:
InstanceCount: Number of active Azure instancesInstanceID: Unique ID of each instance
Endpoint: GET /api/video/stream
Query Parameters:
instanceId(optional): Stream instance ID
Description: Captures diagnostic information of video streams.
Notes:
- Source field: 0=Segmenter, 1=Player
- If instanceId passed, updates existing instance data
- If instanceId not passed, generates new instanceId in response
Endpoint: GET /api2/Sites
Query Parameters:
maxlimit(optional): Maximum resultsskipover(optional): Skip records
Description: Lists available sites for a customer.
Endpoint: GET /api2/Sites/{siteid}/Doors
Parameters:
siteid(required): Site ID
Description: Lists all doors on specified site.
Endpoint: POST /api2/Bookings
Request Body:
{
"siteid": "integer",
"doorid": "integer",
"pin": "string",
"start": "dd/MM/yyyy HH:mm",
"end": "dd/MM/yyyy HH:mm"
}Description: Creates new event booking.
Notes:
- Date format must be exact: "dd/MM/yyyy HH:mm"
- Booking period should include buffer time before/after event
- Returns new bookingID in response
Endpoint: GET /api2/Bookings/{bookingid}
Parameters:
bookingid(required): Booking ID
Description: Returns booking details (null if doesn't exist or access denied).
Endpoint: PUT /api2/Bookings/{bookingid}
Request Body:
{
"siteid": "integer",
"doorid": "integer",
"pin": "string",
"card": "integer",
"start": "dd/MM/yyyy HH:mm",
"end": "dd/MM/yyyy HH:mm"
}Description: Changes a booking (original deleted, new one created with new ID).
Notes:
- If card field is 0 or omitted, any linked card is deleted
- Wait 30 seconds before updating after creation
Endpoint: DELETE /api2/Bookings/{bookingid}
Parameters:
bookingid(required): Booking ID
Description: Removes booking from system.
Endpoint: POST /api2/Bookings/bulk
Request Body:
[
{
"siteid": "integer",
"doorid": "integer",
"pin": "string",
"start": "dd/MM/yyyy HH:mm",
"end": "dd/MM/yyyy HH:mm"
}
]Description: Creates multiple bookings.
Notes:
- Returns new bookingIDs in response
Endpoint: DELETE /api2/Bookings
Query Parameters:
customerID(required): Customer ID- Other filter parameters (optional)
Description: Deletes up to 100 bookings matching parameters.
Endpoint: DELETE /api2/Bookings/bulk
Request Body:
{
"ids": ["integer"]
}Description: Deletes up to 100 bookings by ID list.
Notes:
- ItemResults shows success per booking
Endpoint: GET /api2/Sites/{siteid}/Bookings
Parameters:
siteid(required): Site ID
Query Parameters:
date(optional): Start date "dd/MM/yyyy" (default: today)maxlimit(optional): Maximum resultsskipover(optional): Skip records
Description: Lists bookings for a site from specified date.
Endpoint: POST /api2/Schedule
Request Body:
{
"siteid": "integer",
"doorid": "integer",
"outputId": "integer",
"schedulePeriods": [
{
"start": "dd/MM/yyyy HH:mm",
"end": "dd/MM/yyyy HH:mm"
}
]
}Description: Applies schedule to trigger door output (Aux Relay or OP2/OP3).
OutputId Values:
- 1 = Aux Relay
- 2 = OP2
- 3 = OP3
Schedule Rules:
- Maximum 8 schedule periods per call
- One schedule active per output at a time
- Periods must be from current date, max 6 days future
- Pass empty array to turn output off
- If schedule spans 2 days, pass 2 separate periods
- Works on named day basis (repeats following week)
Notes:
- Date format must be exact: "dd/MM/yyyy HH:mm"
Endpoint: GET /api/localisation
Query Parameters:
SearchPattern(optional): Pattern to match identifiersSearchStrings(optional): Specific identifier list- Language: Set via
Accept-Languageheader
Description: Retrieves localised strings matching request criteria.
Notes:
- SearchPattern returns all matching identifier starts
- SearchStrings returns only exact matches
- SearchPattern takes precedence if both provided
- No parameters returns all resources
| Code | Status | Detail |
|---|---|---|
| 1 | InvalidCustomer | The customer passed is invalid |
| 2 | InvalidSite | The site passed is invalid |
| 3 | InvalidData | Invalid input data provided |
| 4 | NoPermission | User does not have permission to this action |
| 5 | CardHolderDoesNotExist | Requested cardholder does not exist |
| 6 | TimezoneDoesNotExist | Requested time zone does not exist |
| 7 | DuplicateName | Cardholder with given name already exists |
| 8 | DuplicatePin | Provided PIN is already in use |
| 9 | PinRangeError | PIN is out of valid range |
| 10 | ZeroPinError | PIN of 0 is not valid |
| 11 | DuplicateCardError | Card number already in use |
| 12 | ValidityPeriodError | Validity period is invalid |
| 13 | DuplicateCHGError | Cardholder group with given name already exists |
| 14 | NoCHGError | No cardholder group provided |
| 15 | MaxCardsError | Exceeded maximum number of cards for cardholder |
| 16 | NameRequired | Cardholder must have a name |
| 18 | InvalidCardNumber | Invalid card number (range 0-4294967295) |
Endpoint: GET /api/permissions
Description: Gets list of access rights for current user (based on Auth header).
Important:
- Permission
AccessAllowedis required to access customer/site entities - If
AccessAllowed= false, user cannot access any entities for that customer/site
- Token Validity: 24 hours
- Login Rate Limit: 1 call per minute
- Wait Time: 30 seconds minimum between creation and update of entities
- End of Life: Apiary is being deprecated as of October 31, 2026