Announcement

Collapse
No announcement yet.

API GET Requests - All Endpoints Generally Open?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • API GET Requests - All Endpoints Generally Open?

    I've been building some back-end tools for my business and integrating them with the CRM via the API.
    I created an API Role and specifically granted the permissions I require.
    I created an API User and assigned that API Role to that user.
    I've enabled HMAC authentication for the user, and have been able to successfully create Contacts, Upload Documents etc. through my NodeJs application.

    I realized however that it appears all of the GET endpoints (<MyDomain.com>/api/v1/User, for example) just returns all the User data with no authentication required. I can just type that URL in my browser address bar and get back a JSON object with my CRM User data. Am I missing something? How can I remove the ability for any random internet person to type my CMR URL into their browser and see all my data?

    Thanks for looking!

  • #2
    Because you are logged as admin in the browser. It uses stored credentials.

    Comment


    • #3
      Asking for API Get & Post Request, can we use for external link or is there anyways to get/post data to external API ? I don't want to use CURL from OS library.

      Comment


      • #4
        We use N8N Workflow Automation Platform (internal, Docker) for different use cases with API-Users (e.g. Nextcloud docs import into Espo, Jira Sync). Works excellent with Espo Webhooks.

        Comment

        Working...
        X