How to disable Epicor Rest API v1?

Hi there,

First post here, glad to be joining the community.

I’d like to know if there is a way to “disable” Epicor REST API v1, keeping Epicor REST API v2 “enabled”.

Epicor REST API v2 is much more secure than v1 as it requires an API key to be passed along with every request. I don’t like that with v1, anyone of our users can access all the services and business objects. I tried for example logging into the Epicor REST help page (https://{EpicorServer}/{ERPInstance}/api/v1) as a basic user that has access only to some job management and material management dashboards and reports, and was able to (using the API) query lists of employee records, GL period balances and other sensitive data that this user shouldn’t have access to.

I know I could use service security maintenance to start limiting access at the service level, but that just doesn’t seem like a viable solution considering how complicated it would be to manage on a large scale along with menu security maintenance.

Thanks in advance for your help,

you can enforce api key on v1 as well
Of course if you are not using anything that requires REST, like active home page.

Key in web.config appSettings is

<add key="EnforceApiKeyForRestApiV1" value="True" />


Excellent, thank-you!