S4D uses the standard OAuth2 authentication mechanism. This requests a token for access to each specific instance against a tenant-specific endpoint using the Application ID and Client secret configured in the connection string.
If the authentication request is successful, a bearer token is returned which is then used for all OData REST API requests. Tokens automatically expire at the server end; S4D will automatically re-authenticate to get a new token if less than 5 minutes remain before expiry. Tokens are kept in-memory only.
Security considerations
Access to the connection strings config file should be restricted as standard practice.
All authentication and API service requests are encrypted using SSL over HTTPS. There is no un-encrypted HTTP option.
The API user must be an Application user, a normal user login is not allowed. For ease of administration a dedicated user is recommended.