Hi! We have users that want to get some data from Appfarm using API’s. We have created some services, and a lot of endpoints for fetching data from a database. Is it possible to hide the endpoints which the user is not authorized to use? (They only need 1 or 2 endpoints) And how can the user get access to the services without logging in through a browser?
Do you mean endpoints’ visibility in the generated OpenAPI explorer? If so, this is not possible. This is only meant for testing and documentation purposes during development, and we recommend turning it off in production. We may also implement a permission rule to access it in the future.
Today, service endpoints can be accessed mainly in two ways. It can be invoked as the logged-in user in an app, using the session cookie as authentication. The other way is to use an API key and invoke it on behalf of a service account. This means there is currently no way to call a service externally authenticated as an Appfarm user. In the future, this will be possible to use Oauth2 to get an access key that can be used to invoke services as a normal user.
Can you provide more details about your use case, and maybe we can come up with a good solution?
Thank you for the clarification. The issue is not critical, so I’ll wait for the OAuth2 implementation
I am wondering about this very issue as well, and interested in updates @Ole
We have a customer that is very interested in API output of their data. It would be awesome to just send the swagger documentation, but limited to what they can access. Since you need to log in to see the swagger page, I imagine that you could somehow filter or extract the specific Services that they have access to, based on the Service Permissions?
We also just send them a screenshot of the specific documentation, but the live link would of coarse be a better and scalable approach.
However, I am not sure about data security here, thinking of that this data type is the same for several companies, and I dont want them to easily access other companies data. I dont think I can set object-specific (company) limitations to a Service Account or API key(as I can for a User through another object), and it doesnt feel secure to just have fx company ID as a querry parameter. Would the best approach be to set up separate services for each company, or do you have another solution here?