Insert API key into Kinetic customization

Hey there,

I’m fiddling with storing the API key and bringing it into the customization for portability between environments. It’s stored for now in a user codes record, but I’ll move it to the Company table for better security when I make sure it works.

I have brought it into a dataview called APIKey as showing here:


but don’t know how to stuff it here:


I’ve tried this:


and this:


but get this:


How would I stuff the key here?



Epicor Idea 2555


MS Keyvaultttttttttttt

1 Like

Key Vault is one but others could be used. Epicor could also use the Sodium open source project to develop their own too.


Mark, is everyone on Epicor cloud hosted on azure?

Over the years, Epicor has used Rackspace and CyrusOne for single tenant but I believe the goal was to migrate all cloud users to Azure. The 3 services: Select, Signature, and Enterprise, are all Azure if I understood the messaging at Insights. @Rich can confirm.

By this I meant, build secrets management into Epicor Identity for example. But there are others like HashiCorp Vault. Epicor has to think about the on-prem or private cloud folks too, who may be running in AWS, GCP, or a private Azure tenant.

Thanks all for your comments. What I’d really like to know is what to put here


so that my stored key gets passed to the function.


Sorry for the deflection Joe.

Yeah, not really better security…but let’s save that for another thread.

From the little time I’ve spent with Application Studio, you’ll have to paste that code into every-single-layer that makes an ERP Rest call. And when the key changes, you’ll have to to do it again. To every-single-layer.

@hmwillett, am I full of :poop:? I mean, about the API-Key. Is there a way to dynamically insert it into a layer?

I asked while in the Extended Education class for Application Studio and all of the Epicor employees did not have an answer for this. That’s why I submitted the Epicor Idea during Insights last week and let @amelton know too. Maybe @bconner or @edge have some thoughts on this?

1 Like

Okay. Thanks, Mark.

BTW, what I’d LIKE to see is something like what Azure Web Apps does. You can enter a key NAME in your app settings that looks like this:


Epicor could adopt a similar syntax to get the key value from whatever secrets vault was used. To make it more secure, this would happen at the SERVER and not in the Kinetic client. As long as the logged in client has access to the secrets key, then it should work and be secure. If the key value is in the client, it’s exposed.

Right and since they move everyone to one of those azure subscriptions key vault is probably already included or could easily be added since it’s all on azure.

Yes… But also no. :stuck_out_tongue:
Ya have to paste it in every. Damn. Time. #Awful

I would think that companies would use their own Azure AD account (that you get with 365) since that is their authoritative identity service. To use Epicor’s would require some B2B integration work… :thinking:

I guess I am not suggesting using Epicor’s.

If Epicor hosts our environment and I would like to use AD Auth, how are they setting that up now?

Wouldn’t something like keyvault be orchestrated in a similar manner?

Ah, I see. We set it up on our own when in the cloud just like on-prem people do. The main thing Epicor needs to do is to enable the appServer for Azure AD. The configuration is done by updating the Azure AD client and tenant IDs within E10/Kinetic. If still using the rich client, the .sysconfig needs to be updated. If a cloud user, Epicor would have to change the default file. Finally, the User file needs to have the external ID set and (optionally but likely) check the SSO only box for most users.

So could they make some keyvault option like the AD client and the tenant IDs within E10/Kintetic?

Sure. Azure has both configuration management and secrets management. You bring up an interesting question. Are configuration values also supposed to be secrets? :person_shrugging:

1 Like

That I don’t know Mark!

Actually, Brian reminded me that if you have Session in the home page (and you should have), then Api Key is not required. You need to send Session header and it is sent automatically in Homepage.
You should try.