Access to functions and information on the ThingWorx Foundation server is controlled by Users. The REST API can be used to create, list, and delete Users.
Get Usernames of all Users
The REST API exposes the ability to retrieve collections of Entities so that a UI can be dynamically updated with current data.
AppKey created by your Foundation server
Construct the URL. Include the hostname and authentication credentials for your specific ThingWorx server as described below. The Usernames of all Users can be returned by making a GET request to this endpoint:
Authenticate Request. All API requests to the ThingWorx server must be authenticated either with a username and password or with an appKey. For this example we will authenticate by passing the appKey as a URL query string parameter. The parameter appKey is recognized by the ThingWorx server as an authentication credential in requests, it can be passed either as a URL query string parameter .../CreateThing?appKey=64b87... , or as request header appKey: 64b87...
Send request parameters. Other than authentication, no other parameters are used in this GET request.
It is possible for the content to be returned in four different formats by sending anAcceptheader with the request.
You should expect to get back the status code of200 - OKeither with or without content. In the case of an error, you will receive an error message. You can use the following table to diagnose the issue.
appKey is incorrect or missing
Content-Type request header is not set to application/json Sometimes returned instead of a 404 A Property with that name already exists on the platform
404- Not Found
Incorrect URL or API endpoint Thing or Property has not been created Incorrect ThingTemplate name Required parameter missing from request
405- Invalid Request
Incorrect request verb; for example a GET was used instead of PUT or POST
406- Not Acceptable
Invalid JSON in PUT or POST request Thing [Thing name] already exists: A Thing with that name already exists on the platform
500- Internal Server Error
Content-Type request header is not set for a service execution POST, required even without a POST body Content-Type request header is not set for DELETE request, required despite the fact that DELETE does not send any content
503- Service Unavailable
Thing  is not running RestartThing endpoint must be called Thing  is not enabled EnableThing endpoint must be called
Step 13: Authentication Tags
There are different ways to authorize requests.
AppKey in HTTP Request Header
We recommend you place the appKey in the HTTP request header rather than passing the appKey as a URL parameter. This prevents the appKey from being written into server log files that may be seen by someone who is not authorized to modify the ThingWorx server.
To send an appkey in a URL request string parameter, check theAllow Application Key as URL Parametercheckbox in thePlatformSubsystemConfiguration. If the ThingWorx server is using HTTPS, the parameter will be encrypted in transit, however the appKey may be comprised because full request URLs are often written to server log files.
We do not recommend Basic Auth, because the username and password used are NOT encrypted and could be used to log into the ThingWorx platform. To demonstrate that username and password are not encrypted, copy the string in the Authorization line afterBasictoBase64 Decodethen clickDECODE.
http -v -j http://iotboston.com:8887/Thingworx/Things/aTestThing/Properties/CurrentTemp -a Administrator:password1