The Kandy WebRTC API by Ribbon lets you implement web real-time communication (WebRTC) in your application for safe and stable video calls using the Kandy platform. It provides you with a simple model for connecting 2 parties into a call and simplifies the developer experience with its SDKs.

This API is used to create subscribers on the Kandy platform that can make and receive voice and video calls using the Kandy SDKs.

API specification

Test the API on SwaggerHub

Base URL

Conceptual model

Conceptual model



You must add products to your account’s product inventory before any of your application’s users can make voice and video calls. At the moment only 1 product is exposed in the KPN API store: KPN-VoiceVideo-C. This product entitles a user of your application to take part in a voice and video call.

You will be charged on a monthly basis according to the peak number of products in your inventory during the month.


Manage your account’s product inventory by making increment or decrement orders. You can add products to the inventory up to an agreed limit and you can decrement the product inventory if you have less demand.


You must define each of your application’s users as a subscriber on the Kandy platform. The subscriber can make or receive voice and video calls when it is created with a KPN-VoiceVideo-C product. Each subscriber will consume 1 of the products in your account’s available product inventory. A subscriber can make calls to other subscribers using the subscriber identity.

The subscriber's identity, and its authentication credentials, are used to initialize the Kandy SDK for making and receiving calls. When a subscriber is deleted, the product that it was using will be returned to your account’s available product inventory. When a subscriber is deleted, any application using this subscriber will be 'forced out' of the Kandy SDK.

Depending on your use case, a subscriber might be persistent (for example, a customer services agent who regularly uses your application to make and receive calls) or temporary (for example, a customer who uses your application infrequently to the customer services agent).

Kandy SDK

Voice and video calls require 3 elements:

  • A WebRTC engine.
  • A subscriber on the Kandy platform.
  • The application’s user interface.

The Kandy SDK provides coordination of these 3 elements to simplify the task of integrating voice and video into an application. The Kandy SDK for JavaScript relies on a WebRTC engine provided by the browser, whereas the Kandy SDKs for iOS and Android come with their own WebRTC engine.

API workflow

Sequence Diagram

WebRTC workflow

API workflow


  • This API allows you to provision subscribers and products in order to use Kandy WebRTC. The actual video solution is provided by Kandy. Depending on your platform, you can use web browsers, such as Google Chrome, Mozilla Firefox and Safari – or Software Development Kits (SDK) for Android, iOS or JavaScript.


  • Security: WebRTC is a technology with security as a high priority. Browser applications that wish to use WebRTC must be operating from secure sources so that the media can be secured between the parties in a call.

Getting started

Make sure you've read What's in it for you for more info on how to register and start testing APIs.


The API follows the KPN Store API Authentication Standard to secure the API. It includes the use of OAuth 2.0 client_id and client_secret to receive an access token.

Go to the Authentication tab on top of this page to find out how to:

  • Authenticate to an API using cURL.
  • Authenticate to an API on Swaggerhub.
  • Import Open API Specifications (OAS), also called Swagger files into Postman.

How to...

Provision products and subscribers

Follow these steps to get provisioned for the Kandy WebRTC API:

  1. POST /order: Order the required number of KPN-VoiceVideo-C products into your account’s product inventory. An order number is returned.
  2. GET /order: Retrieve the order number to verify that the order has been fulfilled. If not, contact us. Orders should be fulfilled automatically up to an agreed total EUR limit for your account’s product inventory.
  3. GET /inventory: Check your account’s product inventory to ensure you have the expected number of products.
  4. POST /subscriber: Create a subscriber. Creating a subscriber consumes 1 KPN-VoiceVideo-C product from your account’s product inventory. An error will occur if you don't have sufficient products in your inventory.
  5. Use the subscriber's credentials in your application.
  6. DELETE /subscriber: Delete subscribers after your users have finished with them.
  7. POST /order: If you need to reduce your product inventory, you can make a decrement order.

You don’t need to immediately decrement the product that had been used by the subscriber from your account’s product inventory. You can keep KPN-VoiceVideo-C products available so that you can create more subscribers when needed. See Step 4.

How does KPN charge you?

You are charged for the peak number of products you have in your account’s product inventory for a month.

There is no need to order a new product every time you create a new subscriber. Products will be returned to your account’s product inventory when a subscriber is deleted. You can keep KPN-VoiceVideo-C products in your account’s product inventory so that they are ready and available when you need to create new subscribers.

Use the Kandy SDKs

For more information on how to use Kandy WebRTC SDKs with your applications, please refer to the latest tutorials and documentation on GitHub:

JavaScript (kandy-link-js-sdk)

Check out the SDK documentation and tutorials that guide through the configurations, how to connect users and how to make video and voice calls:

Android (kandy-link-android-sdk)

Check out the tutorials and the SDK reference:

iOS (kandy-link-ios-sdk)

Check out the tutorials and the SDK reference:

Return codes

Code Description
200 Success.
201 Created.
202 Accepted.
302 Found. Link in location header.
400 Bad request.
401 Unauthorized.
403 Forbidden.
404 Not found.
405 Method not allowed.
412 Precondition failed.
429 Too many requests.
500 Internal server error.
502 Bad gateway.
503 Service unavailable.

HTTP response headers

The following tables display the standard response headers that are returned with each API response:

Standard response field name Description
sunset This field will be populated with the deprecation details. By default the value is n/a.
api-version Indicates the API version you have used.
quota-interval Used to specify an integer (for example, 1, 2, 5, 60, and so on) that will be paired with the quota-time-unit you specify (minute, hour, day, week, or month) to determine a time period during which the quota use is calculated.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-limit Number of API calls an user can make within a given time period.
If this limit is exceeded, the user will be throttled and API requests will fail.
quota-reset-UTC All quota times are set to the Coordinated Universal Time (UTC) time zone.
quota-time-unit Used to specify the unit of time applicable to the quota.
For example, an interval of 24 with a quota-time-unit of hour means that the quota will be calculated over the course of 24 hours.
quota-used Number of API calls made within the quota.
strict-transport-security The HTTP Strict-Transport-Security (HSTS) response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. All present and future subdomains will be HTTPS for a maximum of 1 year and access is blocked to pages or sub domains that can only be served over HTTP including HSTS preload lists of web browsers.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
Access control field name Description
access-control-allow-credentials Tells browsers whether to expose the response to frontend JavaScript when the request's credentials mode (Request.credentials) is include.
When a request's credentials mode (Request.credentials) is include, browsers will only expose the response to frontend JavaScript if the Access-Control-Allow-Credentials value is true. Boolean.
access-control-allow-origin Indicates whether the response can be shared with requesting code from the given origin.
access-control-allow-headers Used in response to a pre-flight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
access-control-max-age Indicates how long the results of a pre-flight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.
access-control-allow-methods Indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests.
For example: GET, PUT, POST, DELETE.
content-length The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
content-type The Content-Type entity header the client what the content type of the returned content actually is.

Mopinion feedback