Skip to main content
Version: 2.2.1

Authorization guide

Authentication and authorization refer to the process of granting a user or application permission to access the SoftExpert Suite data and resources.

Illustration showing a client application between the SoftExpert Suite server and the end user in the authorization framework.

Where:

  • End user corresponds to the SoftExpert Suite user. The end user requests access to protected resources (e.g., workflows, documents, etc.)
  • My App is the customer requesting access to protected resources (for example, a mobile app, web app, or an integration).
  • The SoftExpert server hosts the protected resources and provides authentication and authorization via API key or basic HTTP.

Using the API key​

To securely integrate SoftExpert Suite with your application, one of the currently recommended ways is to use the API key; the API key uses the JSON Web Tokens specification (JWT Token). Thus, all requests made to APIs and web services must use HTTPS and include the user's API key in order to authenticate and authorize access.

The user's API key can be found on the "User account" screen. Each user can only have one API key, which allows access to the menus configured in the access group associated with them.

caution

From version 2.1 onwards, it is mandatory that the use of the HTTPS protocol be adopted in order to significantly increase security while the solution is used. It is highly recommended that the organization obtain a valid digital certificate issued by a trusted certificate authority. Otherwise, SoftExpert Suite users may receive security alerts while logged in to the solution. It is important to note that sending access credentials via HTTP is considered a serious security breach and should be avoided under all circumstances.

API gateway​

The API gateway is an important component of the architecture of API-based systems. In the case of SoftExpert Suite, it is responsible for the control layer referring to access to resources made available through APIs and web services.

To send your requests to the API gateway, you must use the https://my-domain.softexpert.com/apigateway/ URL, and <my-domain> must be equivalent to that used for access to SoftExpert Suite.

By resorting to the API gateway, you can implement access control policies, such as authentication and authorization, in addition to monitoring request and response traffic between customers and resources. This increases security and control over the use of the SoftExpert Suite APIs and web services.

User for integrations​

We recommend creating a unique user in SoftExpert Suite for integrations. This user must only have one access group linked and associated with a single MANAGER license. This user should also not be synchronized with AD (Active Directory) and should not be used to access the system on a day-to-day basis, as this user must be exclusive for integrations. This facilitates both the management of this user's permissions to access the integrations made available, and the maintenance of a history of performed integrations, which can be extracted by observing the records inserted by this user.

Next steps​