API Authorization for End Users

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • bandtank
    Active Community Member
    • Mar 2017
    • 379

    API Authorization for End Users

    The API documentation recommends against using basic authentication. I am fine with using other methods, but I don't understand how end users are supposed to authenticate. Using API keys or HMAC seems to work better for applications that need to authenticate instead of users. If an external application needs to authenticate a user, which method is supposed to be used?

    For example, I built an iOS app for my organization that connects to Espo. Currently, I present users with a login screen, which requires users to enter usernames and passwords. After authenticating using basic auth, tokens are stored in iCloud, which the app uses to authenticate during future sessions. The process always uses basic auth because the API key/HMAC method does not seem to make sense for this use case.

    Am I wrong? Should I be using API Keys/HMAC for user-based authorization flows? I am confused because the documentation seems to suggest using basic auth for users and API Key/HMAC for applications.

    As an aside, if there is a way to require 2FA for users from an external application, I would appreciate advice about how to enable that feature.
  • yuri
    Member
    • Mar 2014
    • 8455

    #2
    For regular users, only basic authentication is available. It's fine to use it.
    If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

    Comment

    Working...