Configuration and Options

The ePASS External API (XAPI) is configured through a single JSON config file: “appsettings.json”. This file is located in the root of the installation folder and contains a variety of important settings.


  "XAPI": {
    "LogEnabled": true,
    "LogFileLocation": "epass-xapi.log",
    "TokenExpiryInMinutes": 60,
    "RefreshExpiryInMinutes": 600,
    "TrackStatistics": true,
    "TrackStatisticsSize": 500,
    "TrackStatisticRequest": true,
    "TrackStatisticResponse": true
  "Licensing": { ignore },
  "ConnectionStrings": {
    "DBName": "Server=<IP>;Port=<port>;User=<dbuser>;Password=<dbpassword>;Namespace=<dbname>;Max Pool Size = 5;Min Pool Size = 1;"

XAPI Object


LogEnabled [boolean]: Set to ‘true’ if you want to enable logging. If the value is ‘false’, all other logging settings are simply ignored. The system will write log entries to the “ErrLog” table in the ePASS database; however, if the database cannot be accessed then the error is written to a log file in the root of the WebAPI installation folder.

LogFileLocation [filename/string]: The name of the file that a log entry is written to only if the application cannot access the database. This log file should typically be empty or non-existent.


TokenExpiryInMinutes [integer]: When a user logs into the XAPI they are granted a session token. This value dictates the duration of time that the session token is valid. After a token expires, the refresh token can be used to generate another token. It is recommended that this is a fairly short-lived token. The actual number of minutes is relative to the risk of a data breach.

RefreshExpiryInMinutes [integer]: This indicates the number of minutes a refresh token should be valid. This can be a long duration and should be considerably longer than the TokenExpiryInMinutes value. This token is explained more in the Session Management section of this wiki.


The statistics feature allows the recording of requests and responses which provides programmers with the ability to view the raw request data that was received by an endpoint and the raw response data sent back to the caller. The ‘track statistics’ feature is not intended for production usage but rather for debugging a particular issue.

Table: XapiSessionStatistics

TrackStatistics [boolean]: Enable or disables the tracking feature.

TrackStatisticsSize [integer]: The maximum number of rows allowed to exist in the statistics table. Rows oldest are deleted as this limit is reached.

TrackStatisticRequest [boolean]: Writes the quest raw data to the XapiSessionStatistic row.

TrackStatisticResponse [boolean]: Writes the response raw data to the XapiSessionStatistic row truncated to 1,500 characters.

ConnectionStrings Object

The ConnectionStrings sections may have an unlimited number of databases configured. During the login process, the calling application supplies a user, password, and organization id (known as the database name). Each database name must be unique. The following is a sample database string for a database called “DEMO”:

"DEMO": "Server=;Port=12345;User=User1;Password=abcdef;Namespace=DEMO;Max Pool Size = 5;Min Pool Size = 1;"

Server: IP address to DNS Name of the database server.

Port: Port number permitted for connections to the database server.

User: This is a database user and not an ePASS user.

Password: The password field is unique; it allows a person to type in a plain text password such as “MyPassword123” and once the application starts it will encrypt the password and write the cipher text back into this connection string.

Max Pool Size: This will throttle the maximum number of database connections permitted by the XAPI application. If this number is reached, subsequent requests will be delayed while waiting for a free connection.

Min Pool Size: This is the initial size of the application pool. This will only make a difference in situations where the application is requiring quick responsiveness after an application restart.

What’s Next?


Link #2