REST API security

By default, the REST API uses basic authentication or OAuth to enforce access controls to web resources.

ACLs defined for tables are enforced to restrict access to data.

The user ID that is used for authentication is subject to access control in the same way as an interactive user. Each request requires the proper authentication information. Ensure each request includes an Authorization header with the credentials you want to use. There is no support for inbound mutual authentication.

To allow access to tables without any authentication and authorization, add the table name to sys_public.list. ACLs defined on tables are still enforced, and it is the customer's responsibility to deactivate ACLs on tables.

REST supports cookies for binding to the existing session.

For Aggregate API requests, you must have read access for all records in the table you query. If an ACL prevents the requesting user from accessing any record in the table, the request returns a 403 Forbidden error.