Authorization guide
Authentication and authorization refer to the process of granting a user or application permission to access the SoftExpert Suite data and resources.
Where:
- End user corresponds to the SoftExpert Suite user. The end user requests access to protected resources (e.g., workflows, documents, etc.)
- My App is the customer requesting access to protected resources (for example, a mobile app, web app, or an integration).
- The SoftExpert server hosts the protected resources and provides authentication and authorization via API key or basic HTTP.
Using the API key
To securely integrate SoftExpert Suite with your application, one of the
currently recommended ways is to use the API key
; the API key uses the JSON
Web Tokens specification (JWT Token). Thus, all requests
made to APIs and web services must use HTTPS and include the user's
API key
in order to authenticate and authorize access.
The user's API key
can be found on the
"User account" screen. Each user
can only have one API key, which allows access to the menus configured in the
access group associated with them.
From version 2.1 onwards, it is mandatory that the use of the HTTPS protocol be adopted in order to significantly increase security while the solution is used. It is highly recommended that the organization obtain a valid digital certificate issued by a trusted certificate authority. Otherwise, SoftExpert Suite users may receive security alerts while logged in to the solution. It is important to note that sending access credentials via HTTP is considered a serious security breach and should be avoided under all circumstances.
API gateway
The API gateway is an important component of the architecture of API-based systems. In the case of SoftExpert Suite, it is responsible for the control layer referring to access to resources made available through APIs and web services.
To send your requests to the API gateway, you must use the
https://my-domain.softexpert.com/apigateway/
URL, and <my-domain>
must be
equivalent to that used for access to SoftExpert Suite.
By resorting to the API gateway, you can implement access control policies, such as authentication and authorization, in addition to monitoring request and response traffic between customers and resources. This increases security and control over the use of the SoftExpert Suite APIs and web services.
User for integrations
We recommend creating a unique user in SoftExpert Suite for integrations. This user must only have one access group linked and associated with a single MANAGER license. This user should also not be synchronized with AD (Active Directory) and should not be used to access the system on a day-to-day basis, as this user must be exclusive for integrations. This facilitates both the management of this user's permissions to access the integrations made available, and the maintenance of a history of performed integrations, which can be extracted by observing the records inserted by this user.
Next steps
- Before continuing, make sure you have created an API token on your user account in SoftExpert Suite.
- Finally, learn how to use the requested access token by reading the Guide on how to use the access token.