Skip to main content

Security of OutSystems applications

OutSystems

How can I create secure REST APIs with OutSystems?

When exposing a REST API, a team can configure the service to require authentication. There are three authentication modes available:

  • None: Anyone can invoke the API without needing to authenticate;

  • Basic: To invoke the REST API, a team will need to specify a username and password on the HTTP headers of the request;

  • Custom: An organization can implement their own authentication mechanism. 

Basic authentication

To require username/password authentication in a team's REST APIs, a team has the option to add basic authentication. This is done in the visual editor by setting the 'Authentication' parameter for the service.

Once a service has basic authentication, all clients that use the API need to send the credentials on the HTTP headers of the request. If no credentials are present, OutSystems automatically sends a JSON response with an error message, which looks like:

{
  "Errors": [
    "Basic Authentication required."
  ],
  "StatusCode":401
}

When clients send their credentials, OutSystems makes them available as parameters. This automates much of the boilerplate code that developers need to implement authentication functionality.

Custom

Implement a custom authentication logic by using existing hooks. In this case, a team could use built-in methods to check the HTTP header and body the client sent.

Alternatively, a team can also use their own custom code to extend the built-in methods.

  • Was this article helpful?