Example API Calls Using Powershell and Bash/curl for Omada Controller (last validated on 5.12.7)

omada_api.ps1

### PowerShell Example
# set variables
$OMADA_URL = "https://omada.example.com:8043"
$USERNAME = "admin"
$PASSWORD = "test12345"

# get controller id from the API
$CONTROLLER_ID = (Invoke-RestMethod -Uri "${OMADA_URL}/api/info" -Method Get -UseBasicParsing).result.omadacId

# set the login request body as json
$loginRequestBody = @{
     username = $USERNAME
     password = $PASSWORD
 } | ConvertTo-Json

# login, get token, set a session variable
$loginResponse = Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -Method Post -ContentType "application/json" -Body $loginRequestBody -SessionVariable OmadaSession

# extract the token and create a variable for the headers
$TOKEN = $loginResponse.result.token
$RequestHeaders = @{
     "Csrf-Token" = $TOKEN
     "Content-Type" = "application/json"
 }

# validate login
Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/loginStatus?token=${TOKEN}" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession

# example to get info on the current user
Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/users/current?token=${TOKEN}&currentPage=1&currentPageSize=1000" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession

omada_api.sh

### Bash Example
# set variables
OMADA_URL="https://omada.example.com:8043"
USERNAME="admin"
PASSWORD="test12345"

# get controller id from the API
CONTROLLER_ID="$(curl -sk "${OMADA_URL}/api/info" | jq -r .result.omadacId)"
 
# login, get token, set & use cookies
TOKEN="$(curl -sk -X POST -c "/tmp/omada-cookies.txt" -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -d '{"username": "'"${USERNAME}"'", "password": "'"${PASSWORD}"'"}' | jq -r .result.token)"

# once logged in, make sure you add the following header on additional API calls:
# -H "Csrf-Token: ${TOKEN}"

# validate login
curl -sk -X GET -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" -H "Csrf-Token: ${TOKEN}" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/loginStatus?token=${TOKEN}" | jq .

# example to get info on the current user
curl -sk -X GET -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" -H "Csrf-Token: ${TOKEN}" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/users/current?token=${TOKEN}&currentPage=1&currentPageSize=1000"

Can't tell me why I always get the following:

<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <!-- 不可以删除，用以本地版本校准静态资源路径，从根目录获取 -->
    <base href="/" />

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
    <meta name="format-detection" content="telephone=no">
    <meta name="viewport" content="width=1300,initial-scale=1,minimal-ui"/>
    <link rel="shortcut icon" href="favicon.ico"/>
    <link rel="stylesheet" href="theme/lib/css/spectrum-d0fce89613.css">
    <link rel="stylesheet" href="theme/css/su-a61fe7bf98.css">
    <title id="title">Omada Controller</title>
    <noscript>
        <meta http-equiv="refresh" content="0; url=error.html"/>
    </noscript>
</head>

<body>
<div id="main-container" class="m-b-0"></div>
<canvas id="canvas-test"></canvas>
<script type="text/javascript" src="js/libs/polyfill-6926951583.min.js"></script>
<script type="text/javascript" src="js/libs/g6-75b82cdd1d.min.js" async></script>
<script type="text/javascript" src="js/libs/jquery-4cb8672160.min.js"></script>
<script type="text/javascript" src="js/libs/jquery-16e37f8666.ui.min.js"></script>
<script type="text/javascript" src="js/libs/sockjs-e2b1fc0be3.min.js"></script>
<script type="text/javascript" src="js/libs/stomp-51779f8e6c.min.js"></script>
<!--<script type="text/javascript" src="js/libs/excanvas-884b8a4daa.min.js"></script>-->
<script type="text/javascript" src="js/libs/resize-observer-c32f1af8c3.min.js"></script>
<script type="text/javascript" src="js/libs/spectrum-dae9c90a3b.min.js"></script>
<script type="text/javascript" src="js/libs/jquery-202b9c1ad9.cookie.min.js"></script>
<script type="text/javascript" src="js/libs/perfect-scrollbar-85fff207d9.min.js"></script>
<script type="text/javascript" src="js/libs/lottie-cedc90aaa6.min.js"></script>
<script type="text/javascript" src="js/libs/cryptoJS-242f7a6460.min.js"></script>
<script type="text/javascript" src="js/libs/moment-761502841c.min.js"></script>
<script type="text/javascript" src="js/libs/moment-timezone-with-data-5c8ed7bc8a.min.js"></script>
<script type="text/javascript" src="js/libs/json2html-8826f30caf.min.js"></script>
<script type="text/javascript" src="js/libs/qiankun-af1f11c736.min.js"></script>
<script type="text/javascript" src="js/su/su-e7a464013a.js"></script>
<script type="text/javascript">
    $.su.language = new $.su.Language();
    var canvas = document.getElementById("canvas-test");
    try {
        canvas.getContext("2d");
        document.body.removeChild(canvas);
    } catch (e) {
        location.href = "./error.html";
    }
    var WebSocketsExist = !!window.WebSocket;
    if (!WebSocketsExist) {
        location.href = "./error.html";
    }
</script>

<script type="text/javascript" src="js/su/service-074f624000.js"></script>

<script type="text/javascript" src="js/su/data-fc10d8ee54.js"></script>

<script type="text/javascript" src="js/su/widget-665e38f169.js"></script>

<script type="text/javascript" src="js/su/form-a8aae2edd1.js"></script>

<script type="text/javascript" src="js/su/manager-a30c673f55.js"></script>

<script type="text/javascript" src="js/su/dataBind-f4e5c3f2c6.js"></script>

<script type="text/javascript" src="js/su/application-7c61407273.js"></script>

<script type="text/javascript" src="js/app/app-490d3af263.js"></script>

<script type="text/javascript">
    $(document).ready(function(e){
        App = new $.su.App();
        App.setContainer("main-container");
        App.init().done(function(){
            App.launch();
        });
    });
</script>
</body>
</html>

Hard to tell without further detail but this is just the login page as HTML.

An example of a request:

Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites/Default/devices" -Method Get -ContentType "application/json" -Headers $CsrfTokenHeader -UseBasicParsing

I will have to give it a shot with PowerShell when I get a chance. I haven't done so before.

### Set variables
$OMADA_URL = "https://URL"
$USERNAME = "username"
$PASSWORD = "password"

### Get controller id from the API
$CONTROLLER_ID = (Invoke-RestMethod -Uri "${OMADA_URL}/api/info" -Method Get -UseBasicParsing).result.omadacId

### Login, get token, set & use cookies
$loginRequestBody = @{
     username = $USERNAME
     password = $PASSWORD
 } | ConvertTo-Json

$loginResponse = Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -Method Post -ContentType "application/json" -Body $loginRequestBody -SessionVariable session

$TOKEN = $loginResponse.result.token
$CsrfTokenHeader = @{
     "Csrf-Token" = $TOKEN
     "Content-Type" = "application/json"
 }

Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites/Default/devices" -Method Get -ContentType "application/json" -Headers $CsrfTokenHeader -UseBasicParsing

Is this still working with the latest controller released Sep 19, 2023?

Is this still working with the latest controller released Sep 19, 2023?

Yes

@eugen257 - so the only issue with your powershell is that you set the session variable but you never use it. According to this powershell reference, you need to use -WebSession $session to reference in in PowerShell 7.3 or older. I added a complete working example of a powershell above in the gist that matches what the bash example does.

@mbentley can you tell me how I can read all the settings and most importantly the MAC whitelist filter

It doesn't show anything useful. and the documentation also does not have a clear understanding of how to do this:

(Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites/638ef74e14f65e09652531f5/setting/firewall/macfilters?token=${TOKEN}" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession).result

---

Why is the list not active here and I can’t activate it?

$macFilterConfig = @{
enable = $true
}

Invoke-RestMethod -Uri "$OMADA_URL/$OMADAC_ID/api/v2/sites/$SITE_ID/setting/firewall/macfilter" -Method Post -ContentType "application/json" -Body ($macFilterConfig | ConvertTo-Json) -Headers $RequestHeaders -UseBasicParsing -WebSession $OmadaSession

    0 Success. @{enable=False}

I wrote a similar example for the new openapi . See this gist

That doesn't work for me. What works is this but I still can't find how to add devices to the whitelist:

'### PowerShell Example'
'# set variables'
'$OMADA_URL = "https://omada.local" '
'$USERNAME = "login" '
'$PASSWORD = "pass" '

'# get controller id from the API'
'$CONTROLLER_ID = (Invoke-RestMethod -Uri "${OMADA_URL}/api/info" -Method Get -UseBasicParsing).result.omadacId'

'# set the login request body as json
'$loginRequestBody = @{
username = $USERNAME
password = $PASSWORD
} | ConvertTo-Json'

'# login, get token, set a session variable'
'$loginResponse = Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -Method Post -ContentType "application/json" -Body $loginRequestBody -SessionVariable OmadaSession'

'# extract the token and create a variable for the headers'
'$TOKEN = $loginResponse.result.token'
'$RequestHeaders = @{
"Csrf-Token" = $TOKEN
"Content-Type" = "application/json"
}'

'# validate login'
'Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/loginStatus?token=${TOKEN}" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession'

'# example to get info on the current user'
'$CurrentUser = Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/users/current?token=${TOKEN}&currentPage=1&currentPageSize=1000" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession'
'$CurrentUser.result'

'#Sitens'
'$SITE = (Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites?currentPage=1&currentPageSize=1000" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession).result.data'
'$SITE_ID = $SITE.id'

'#devices'
'(Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites/${SITE_ID}/devices" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession).result | select name'

'#settings'
'(Invoke-RestMethod -Uri "${OMADA_URL}/${CONTROLLER_ID}/api/v2/sites/${SITE_ID}/setting?currentPage=1&currentPageSize=1000" -Method Get -Headers $RequestHeaders -WebSession $OmadaSession).result #| select name'

I'm running your docker container on an RPi4.
Using node-red http request node, I can get the omadacId' with the first request OK
But when trying to login I just get this error - "status":500,"error":"Internal Server Error","path":"/xxx/api/v2/login"
This is what I send
url: "https://192.168.0.254:8043/7761d21f15884e11039b39a6daa1ee22/api/v2/login" headers: object Content-Type: "application/json" username: "user" password: "pass" method: "post"

Any ideas what I'm doing wrong ?

I'm running your docker container on an RPi4. Using node-red http request node, I can get the omadacId' with the first request OK But when trying to login I just get this error - "status":500,"error":"Internal Server Error","path":"/xxx/api/v2/login" This is what I send url: "https://192.168.0.254:8043/7761d21f15884e11039b39a6daa1ee22/api/v2/login" headers: object Content-Type: "application/json" username: "user" password: "pass" method: "post"

Any ideas what I'm doing wrong ?

I would have to guess it is because you're not sending the data payload correctly. It needs to be JSON like: {"username": "admin", "password": "Testing12345!"}.

Thanks for replying, I managed to sort this now.

Thank you for the example @mbentley. It works smoothly

#!/bin/bash
#> Example API Calls Using Powershell and Bash/curl for Omada Controller (last validated on 5.12.7) - mbentley
#> REF :::: https://gist.github.com/mbentley/03c198077c81d52cb029b825e9a6dc18
#> Comments and Edits - Ibrahim Kiptoo Kibowen ([email protected])
#> Tunawakilisha +254 (Representing the +254)

#> ## Bash Example
#> set variables

OMADA_URL="https://192.168.7.38:8043"
USERNAME="tuxhot"
PASSWORD="Ugali@a95H"

#>#**************************************************************************************************
#>#MOD :::: BEGIN :::: COMMENT & DISCUSSION - July 8th, 2025 - filtering incoming json array in bash
#>#**************************************************************************************************
#> Niletee mandazi tatu na chapo mbili changanya na maharagwe ya finje!
#> (Bring three mandazis and two chapatis mixed with beans for fifty bob!)

#bash-5.1$ jq
#>bash: jq: command not found
#> OK - filtering without jq tool (JSON Processing tool :)
#> OS info
#> Distro: Slackware 15.0
#> bash: GNU bash, version 5.1.16(1)

#>LETS ROLL!
#>debug - testing
#>dump echo below in file called omadaapi.sh and remember to make file executable
#in bash skript, escape each double quote with a backslash

echo "{\"errorCode\":0,\"msg\":\"Success.\",\"result\":{\"controllerVer\":\"5.14.26.1\",\"apiVer\":\"3\",\"configured\":true,\"type\":1,\"supportApp\":true,\"omadacId\":\"e72e7b8b12b007a8595af9a64b76e57c\",\"registeredRoot\":true,\"omadacCategory\":\"advanced\",\"mspMode\":false}}"

#./omadaapi.sh|grep -oE '\"omadacId(\"\:\"[[:alnum:]]*\")'
#> "omadacId":"e72e7b8b12b007a8595af9a64b76e57c"
#>[[:alnum:]] --> alphanumeric match
#. -E extended & -o only exact string in sentence
#>"omadacId(":"[[:alnum:]]*") -->omadacId()
#> added flags -i for case insenstive
#./omadaapi.sh|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'
#> "omadaCId":"e72e7b8b12b007a8595af9a64b76e57c"
#> remove evertying before delimter --> ":"
#> (REF :::: https://askubuntu.com/questions/438383/how-can-i-use-sed-to-remove-all-characters-before-a-specific-symbol)
#./omadaapi.sh|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*:/:/'
#> :"e72e7b8b12b007a8595af9a64b76e57c"
#> same as above but also removes delimtere
#./omadaapi.sh|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*://'
#> "e72e7b8b12b007a8595af9a64b76e57c"
#>remove double quotes
# ./omadaapi.sh|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*://'|sed 's/\"//g'
#> e72e7b8b12b007a8595af9a64b76e57c
#> same as above but removing any spaces :)
# ./omadaapi.sh|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*://'|sed 's/\"//g'|tr -d ' '
#> e72e7b8b12b007a8595af9a64b76e57c
##**************************************************************************************************
##MOD :::: END :::: COMMENT & DISCUSSION - July 8th, 2025 - filtering incoming json array in bash
##**************************************************************************************************

#> get controller id from the API
#> original curl# CONTROLLER_ID="$(curl -sk "${OMADA_URL}/api/info" | jq -r .result.omadacId)"
#> debug
#curl -sk "${OMADA_URL}/api/info"
#> {"errorCode":0,"msg":"Success.","result":{"controllerVer":"5.14.26.1","apiVer":"3","configured":true,"type":1,"supportApp":true,"omadacId":"e72e7b8b12b007a8595af9a64b76e57c","registeredRoot":true,"omadacCategory":"advanced","mspMode":false}}:

#>MOD :::: July 8th, 2025 - filtering incoming json string to get omadaid (see discussion above)
CONTROLLER_ID="$(curl -sk "${OMADA_URL}/api/info"|grep -ioE '\"omadacId(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*://'|sed 's/\"//g'|tr -d ' ')"

#> login, get token, set & use cookies
#>original token call
#TOKEN="$(curl -sk -X POST -c "/tmp/omada-cookies.txt" -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -d '{"username": "'"${USERNAME}"'", "password": "'"${PASSWORD}"'"}' | jq -r .result.token)"

#> debug
# curl -sk -X POST -c "/tmp/omada-cookies.txt" -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -d '{"username": "'"${USERNAME}"'", "password": "'"${PASSWORD}"'"}'
# {"errorCode":0,"msg":"Log in successfully.","result":{"omadacId":"e72e7b8b12b007a8595af9a64b76e57c","token":"1ec0b34707ae449b8846fba1ddca94de"}}

#>MOD ::: July 8th, 2025 - - filtering incoming json string to get token
TOKEN="$(curl -sk -X POST -c "/tmp/omada-cookies.txt" -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/login" -d '{"username": "'"${USERNAME}"'", "password": "'"${PASSWORD}"'"}'|grep -ioE '\"token(\"\:\"[[:alnum:]]*\")'|sed 's/^[^:]*://'|sed 's/\"//g'|tr -d ' ')"

#> once logged in, make sure you add the following header on additional API calls:
#> -H "Csrf-Token: ${TOKEN}"

#> validate login
#> original call# curl -sk -X GET -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" -H "Csrf-Token: ${TOKEN}" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/loginStatus?token=${TOKEN}" | jq .
#>MOD :::: July 8th, 2025 - removed pipe to jq
curl -sk -X GET -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" -H "Csrf-Token: ${TOKEN}" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/loginStatus?token=${TOKEN}"
#> {"errorCode":0,"msg":"Success.","result":{"login":true}}

#> example to get info on the current user
curl -sk -X GET -b "/tmp/omada-cookies.txt" -H "Content-Type: application/json" -H "Csrf-Token: ${TOKEN}" "${OMADA_URL}/${CONTROLLER_ID}/api/v2/users/current?token=${TOKEN}&currentPage=1&currentPageSize=1000"
#> {"errorCode":0,"msg":"Success.","result":{"id":"686d133f58d5f00e041539fe","type":0,"roleId":"admin_id","roleName":"Administrator","name":"tuxhot","email":"[email protected]","omadacId":"e72e7b8b12b007a8595af9a64b76e57c","privilege":{"sites":[{"name":"hut","category":"advanced","key":"68447efde21e9b2f114123ae"}],"lastVisited":"68447efde21e9b2f114123ae","lastSiteCategory":"advanced","all":true},"disaster":0,"needFeedback":true,"forceModify":false,"dbnormal":true,"view":0,"root":false,"userLevel":0}}

#> Sasa hii chapo ndogo hivi, nani atashiba
#> (Who will be satisified with such small chapatis)
#> Tunawakilisha +254 (Representing the +254)

:)