API Security
This page describes the security mechanisms that are in place to ensure the resilience of RegScale's APIs. There are multiple layers of security that must be understood to leverage the APIs effectively. In addition, there are options to enable/disable the discoverability of our APIs based on the customer's preferences.
JSON Web Tokens (JWT)
In order to call most RegScale APIs, you must first authenticate to obtain a JWT. This JWT (sometimes referred to as a Bearer token) is added to the header of each request in RegScale and used by the application to make authorization decisions for each API. The token is signed on the server side to ensure it is valid, will expire based on the configured session timeouts set for your RegScale instance, and contains metadata about the user necessary to support authorization decisions.
Roles
Each JWT contains a collection of roles that have been assigned to the user. The APIs have multiple levels of authorization:
- Requires authorization - most end points require the user to be signed in and to have a valid JWT
- Requires roles - many APIs require specific roles to be assigned to the user, otherwise, they will receive an unauthorized message if attempting to access the API
System Administrators have the ability to assign users to roles. The next time the user logs in, the new roles will be applied to the JWT.
Discoverability
By default, RegScale publishes the contracts for its APIs in two ways:
- Swagger - REST API definition
- GraphQL - Catalog with database schema of available objects to query
Some customers may wish to limit access to viewing APIs for their production system (NOTE: RegScale always recommends enabling APIs for development systems). If you would like to hide the APIs and GraphQL schema for your production system, you can do so by setting the "VIEW_APIS" environment variable to "false". If you set to false and restart the container, RegScale will not publish the Swagger page and the GraphQL system will not provide Intellisense for queries or access to the schema.
Updated 4 months ago