APIs and protocols supported by Koha

From Koha Wiki

Jump to: navigation, search
Home > Documentation


RESTful web service calls

Koha has an older web API, but a newer more modern REST API is in development, several endpoints are already available. See New REST API RFC for details.


Koha /svc/ HTTP API

Reports web service

Any report can be set to internal or public to be available in JSON format with and without authentication.

A public report is accessible via a URL that looks like this:


An internal report requires authentication and is available from the intranet base URL.

Patrons, circulation, payment etc



ILS-DI is self-documenting, so in an installation where it is enabled, you can get some information about it at the URL:


Because ILS-DI gives access to all your data (items, patrons...), it should be restricted by allowing IP in the admin interface and/or by disabling services via the server.

For Apache, these rules can be added to restrict public access only to the first and second levels of ILS-DI:

 <IfModule mod_rewrite.c>
   # Rewrite Rules
   RewriteEngine On
   # Restricted ILS-DI Access
   RewriteCond %{QUERY_STRING} !(^($|(\??|(.*&))service=(Describe|GetAvailability|GetRecords|GetAuthorityRecords|AuthenticatePatron|HoldTitle)))
   RewriteRule ^/cgi-bin/koha/ilsdi\.pl$ - [R=403,L]

Because an IP can be easily spoofed, the second way is recommended.

Note: If you ever experience a 403 error when issuing an ILS-DI query, check the "service" parameter being passed against the list in the Apache snippet above, it may be that the method in the request isn't whitelisted in the Apache snippet



Bug 11622 made it possible to add PayPal as a payment option in the OPAC.

Other options

Bug 19173 makes OPAC online payments pluggable for easier integration with other and local payment methods.

Bibliographic data


Support for Z39.50 is provided by Zebra.


Koha can act as a Z39.50 server.


Koha can also be used as a client to retrieve both bibliographic and authority records from other Z39.50 servers. This is often referred to as copy cataloguing.



Koha can act as a SRU server.


Koha can also be used as a client to retrieve bibliographic records from other SRU servers.


Data Provider

Koha can be set up as a Data Provider (server) by enabling the OAI-PMH system preference.

Service Provider

Koha can currently not act as a Service Provider (client), but Bug 10662 - Build OAI-PMH Harvesting Client aims to change this, in order to make it possible to have Koha ingest/update records via OAI-PMH.



Koha can output search results in OpenSearch format, but not consume and display OpenSearch data from other sources.


RSS feeds are provided with different information:

  • Search results
  • News items
  • Lists
  • ...





Mozilla Persona

SSL Client Certificate


The OAuth2 protocol is used to integrate Koha with other systems in different ways.

External identity providers

Koha provides configuration options to use Google's OpenID-connect implementation in order to grant access to patrons (cookie based).

Koha as an identity provider

An internal OAuth2 server is implemented. It currently implements the following grant flows:

  • Client credentials
Client credentials grant

The client credentials grant is implemented.

This basic flow is intended to be used with confidential clients (i.e. external systems we trust) and always under secure connections (HTTPS). In order to use it, you need to explicitly enable it using the RESTOAuth2ClientCredentials system preference. Once it is enabled you will be able to manage API keys (client_id and client_secret pairs) on a per-patron basis using the staff interface. The implementation from bug 20612 doesn't provide a way to limit the scope of this tokens (i.e. specify the permissions the API key grants the consumer).



  • quotes
  • orders
  • invoices
  • responses

See also

Personal tools