Skip to main content

Security of OutSystems applications


How can I create secure REST APIs with OutSystems Platform?

When exposing a REST API, a team can configure the service to require authentication. There are three authentication modes available:

  • None: Anyone can invoke the API without needing to authenticate;

  • Basic: To invoke the REST API, a team will need to specify a username and password on the HTTP headers of the request;

  • Custom: An organization can implement their own authentication mechanism. 

Basic authentication

To require username/password authentication in a team's REST APIs, a team has the option to add basic authentication. This is done in the visual IDE by setting the 'Authentication' parameter for the service.

Once a service has basic authentication, all clients that use the API need to send the credentials on the HTTP headers of the request. If no credentials are present, OutSystems Platform automatically sends a JSON with an error message, which looks like:

  "Errors": [
    "Basic Authentication required."

When clients send their credentials, OutSystems Platform makes them available as parameters. This automates much of the boilerplate code that developers need to implement this functionality.


Implement a custom authentication logic by using existing hooks. In this case, a team could use built-in methods to check the HTTP header and body the client sent.

Alternatively, a team can also use their own C# and Java code to extend the built-in methods.

  • Was this article helpful?