...
If the authentication request is successful, a bearer token is returned which is then used for all OData REST API requests. Tokens automatically expire at the server end; S4D will automatically re-authenticate to get a new token if less than 5 five minutes remain before expiry. Tokens are kept in - memory only.
Security considerations
Access to the connection strings config file should be restricted as standard practice.
All authentication and API service requests are encrypted using SSL over HTTPS. There is no un-encrypted HTTP option.
The API user must be an Application user, a normal user login is not allowed. For ease of administration, a dedicated user is recommended.