API
Create API clients for the Operations API (server-to-server) and Pilot API (pilot-facing OAuth) — manage scopes, view request logs, and access interactive documentation.
vAMSYS provides two APIs for integrating with external systems. Both are managed from the same page in Orwell and have interactive OpenAPI documentation.
Accessing API Settings
In Orwell, go to Settings → API → API v3. You need the Can See API Settings permission. Airlines on trial do not have access to API settings.
The Two APIs
| Operations API | Pilot API |
|---|---|---|
Purpose | Server-to-server integration — manage fleet, routes, pilots, PIREPs, activities, and more | Pilot-facing applications — third-party apps that authenticate pilots and access their data |
Grant Type | Client Credentials | Authorization Code + PKCE |
Authentication | Client ID + Secret | OAuth PKCE flow — no secret, pilot authorises in browser |
Documentation | Available at /docs/operations on your vAMSYS instance | Available at /docs/pilot on your vAMSYS instance |
Creating a Client
Click New Client and select the grant type for the API you want to use.
Operations API Client (Client Credentials)
Provide a client name and optionally select scopes to restrict what the client can access. If no scopes are selected, the client has unrestricted access to all endpoints.
Available scopes:
ops:read — all GET endpoints. Safe to embed in client-side JavaScript for public displays.
ops:config:write — manage fleet, aircraft, airports, hubs, ranks, badges, routes, and related configuration.
ops:flights:write — manage bookings, PIREP comments, points, notes, and pilot data.
ops:moderation:write — accept, reject, and invalidate PIREPs; ban and delete pilots; manage registrations and transfers.
ops:activities:write — manage events, tours, rosters, focus airports, community goals, and challenges.
After creation, the client ID and secret are shown once. Store the secret securely — it cannot be retrieved later. Use Reset Secret to generate a new secret if needed (this revokes all existing tokens).
Pilot API Client (Authorization Code + PKCE)
Provide a client name, redirect URI, privacy policy URL, and select the scopes your application needs.
Redirect URI — HTTPS URL or custom URI scheme for native apps (e.g., myapp://callback). Plain HTTP is not allowed.
Privacy Policy URL — must be a publicly accessible privacy policy covering how pilot data is handled.
Allowed Scopes — select which pilot data your application can access (identity, pilot profile, flights, activities).
Attestation Required
Pilot API clients are created in a revoked state. The VA Owner must review and attest the client before pilots can authorise it. This confirms the privacy policy is adequate and the application is approved for pilot data access.
Managing Clients
From the API page you can:
View request statistics — see today, this week, this month, and all-time request counts per client.
Edit client settings — update the name, redirect URI, privacy policy, or allowed scopes.
Revoke a client — disable a client without deleting it.
Delete a client — permanently remove a client and all its tokens.
Request Logs
Below the client table, a live request log shows recent API requests with method, endpoint, status code, response time, and IP address. The log refreshes automatically every 30 seconds. Filter by client, HTTP method, status code range, or date.
API Documentation
Interactive API documentation is available directly on your vAMSYS instance:
Operations API — /docs/operations
Pilot API — /docs/pilot
The documentation is auto-generated from the codebase and includes all endpoints, request/response schemas, and authentication requirements. Links to both are also shown at the bottom of the API settings page in Orwell.
Permissions
Permission | Grants |
|---|---|
Can See API Settings | Access to API client management, request logs, and documentation links |
Note: Only the VA Owner can attest and activate Pilot API clients.
Thank you for your feedback!
Your input helps us improve our documentation.
