Spiceworks – the system administration, inventory, and help desk software – is a fantastic tool to keep track of everything happening on your network. Even if you don’t use it extensively, it’s automated scanning and alerting can still be an incredibly handy way to get alerts of potential issues with your hardware and software.

One surprising limitation of the software is the lack of an external API. You can develop a plugin to sit within Spiceworks and use the data there, but you cannot easily pull data and use it externally (for example: an IT status board). Workarounds have been presented in various forums, such as directly accessing the SQLite database.

One little gem I discovered is an internal JSON API, which makes available a wealth of information via GET commands. This is used by the application’s core, but is also available to plugins. You can try this out on your own Spiceworks installation by going to URLs such as http://localhost/api/alerts.json (replacing ‘localhost’ with the IP or hostname of the server if you’re accessing it from another computer).

Here is a list of URLs I have found to work:

/api/alerts.json
/api/alerts.json?filter=recent
/api/data_monitors.json
/api/groups.json
/api/hotfixes.json
/api/reports.json
/api/services.json
/api/software.json
/api/users.json

Further URLs have been posted on their forums, although I have not personally verified all of them.

You can call these so long as you are logged into a Spiceworks account with the correct privileges to view that data – and this must be done via browser sessions and cookies. There isn’t the option to authenticate directly to the page via basic auth, API keys, or any other method.

The Solution

If you want to access this JSON data, there is a solution which I have built and tested.

The premis behind it is this: using cURL, we connect to the login page, pass our credentials, and then proceed to the API page(s) to get the data we desire. All the while, we are storing and passing cookies and session data.

The cURL options “CURLOPT_COOKIEFILE” and “CURLOPT_COOKIEJAR” allow for reading and writing all cookies to a TXT file on the server. This means we can make multiple requests while maintaining the session state.

I’ve uploaded the source code to GitHub. You can download this, change the settings at the top of the file, and give it a spin. At the moment, this code is just some messy procedural PHP code which I’ve thrown together.

Once it has fetched the API pages you need, it will just output it to the browser. You will need to extend this yourself to do whatever you want with it.

Let me know if you find this code useful, and feel free to contribute any modifications back for me to share with the world.