API authentication and security

Owned by Karl Tompson
Last updated: May 05, 2022 by FuseIT OA
1 min read

S4D uses the standard OAuth2 authentication mechanism. This requests a token for access to each specific instance against a tenant-specific endpoint using the Application ID and Client secret configured in the connection string.

If the authentication request is successful, a bearer token is returned which is then used for all OData REST API requests. Tokens automatically expire at the server end; S4D will automatically re-authenticate to get a new token if less than five minutes remain before expiry. Tokens are kept in memory only.

Security considerations

  • Access to the connection strings config file should be restricted as standard practice

  • All authentication and API service requests are encrypted using SSL over HTTPS. There is no un-encrypted HTTP option

  • The API user must be an Application user, a normal user login is not allowed. For ease of administration, a dedicated user is recommended