Tweet
I've been building some back-end tools for my business and integrating them with the CRM via the API.
I created an API Role and specifically granted the permissions I require.
I created an API User and assigned that API Role to that user.
I've enabled HMAC authentication for the user, and have been able to successfully create Contacts, Upload Documents etc. through my NodeJs application.
I realized however that it appears all of the GET endpoints (<MyDomain.com>/api/v1/User, for example) just returns all the User data with no authentication required. I can just type that URL in my browser address bar and get back a JSON object with my CRM User data. Am I missing something? How can I remove the ability for any random internet person to type my CMR URL into their browser and see all my data?
Thanks for looking!
I created an API Role and specifically granted the permissions I require.
I created an API User and assigned that API Role to that user.
I've enabled HMAC authentication for the user, and have been able to successfully create Contacts, Upload Documents etc. through my NodeJs application.
I realized however that it appears all of the GET endpoints (<MyDomain.com>/api/v1/User, for example) just returns all the User data with no authentication required. I can just type that URL in my browser address bar and get back a JSON object with my CRM User data. Am I missing something? How can I remove the ability for any random internet person to type my CMR URL into their browser and see all my data?
Thanks for looking!
Comment