Accessing ejabberd ReST API through node js app

I have an ejabberd (16.01) server running on Ubuntu 16.04. I have another NodeJs application running on different server. Through NodeJs application, I wish to add users, add rosters, etc by using ReST API given at https://docs.ejabberd.im/developer/ejabberd-api/.

I am doing simple configuration given at https://docs.ejabberd.im/developer/ejabberd-api/simple-configuration/ for this exercise. The configuration says to add below snippet:

  commands_admin_access:
    - allow:
      - user: "admin@localhost"
  commands:
    - add_commands: [user, admin, open]
  # Tokens are valid for a year as default:
  auth_expire: 31536000
  oauth_access: all

The problem here is, the documentation does not specify under what header these configuration needs to be added? The exact location of this configuration is totally missing!

I added the above configuration at the end of the file. However, ejabberd server does not recognise these options. The logs says:

validate_opts:792 unknown option 'auth_expire' will be likely ignored
validate_opts:792 unknown option 'api_permissions' will be likely ignored
validate_opts:784 ignoring option 'commands_admin_access' with invalid value: [[{allow,[[{user,<<"ankit@replica3377.cloudapp.net">>}]]}]]

Below is the extra configuration I have added in ejabberd.yml file:

commands_admin_access:
  - allow:
    - user: "ankit@replica3377.cloudapp.net"
commands:
  - add_commands:
    - status
    - registered_users
    - register
    - unregister
# Tokens are valid for a year as default:
auth_expire: 31536000
oauth_access: all

api_permissions:
  "API used from localhost allows all calls":
    - who:
      - ip: "168.63.209.95"
    - what:
      - "*"
      - "!stop"
      - "!start"

I think the documentation is not very clear. Can someone suggest what I am doing wrong here? Or is there any alternate way to achieve what I am trying to do?

You are using very old version of Ejabberd. Latest is 17.04 which has lots of changes in API permission framework from 16.01 .

First, let me clarify reasons for warnings you are seeing.

'auth_expire' -- Actual parameter name is 'oauth_expire'. Looks like there is mistake in documentation. Please refer this link for code.
'api_permission' -- This parameter got introduced in 16.12 version. Please refer this link.
'commands_admin_access' -- In 16.01 version this parameter takes only atom as input. ACL support was introduced in later releases. So you can create ACL rule and provide rule name like this.

Now answer to the question of where to add this parameters -- You can add this parameter wherever you want as far as you are following guidelines of yaml format. Since this are independant configurations, it should not be under any other configuration. You can put it at the end and it should work without any issue.