REST API v1 basic authentication (Javascript fetch, AJAX)

( on version 10.2.400.14_

I’m trying to use the REST API and not getting anywhere because of authentication.
This is v1, there’s no API key or token.
I know the API works and if I embed the username and password into the URL (https://user:pass@…) in a browser it works and returns JSON. If I enter the URL into a browser without the username password, it pops up a window to authenticate and then it works and returns JSON.
If I try to use a fetch() in JavaScript with the embedded username and password; it fails because the browser won’t allow that. If I do it with an Authorization header- which should be the correct way, it fails with a 401 Unauthorized error.

async function epicorGET( endpoint, args ) {
    let url, response;
    if ( args ) {
        url = apiPrefix + endpoint + '?' + encodeGetParams( args );
    } else {
        url = apiPrefix + endpoint;
    const b64creds = "Basic " + btoa( apiCreds.user + ":" + apiCreds.pass );
    response = await fetch( url, {
        method: 'GET',
        mode: 'no-cors',
        headers: {
            'Content-Type': "application/json",
            'Authorization': b64creds

    return response.json();

I must need something else in the headers to make it work but it’s going to be a lot of trial and error to figure out what, because the 401 doesn’t have any descriptive feedback.

I already tried Postman- because sometimes that works when nothing else does but it still gives a 401.

Surely someone here is already doing this successfully…?

Just a thought…
Common no-cors misconceptions (

the no-cors might be stripping the authorization header from your call, thus why your calls work in the other clients

Good thought but I already tried it with and without the ‘no-cors’ mode. If I skip that, it sends an OPTIONS request first which succeeds but the GET still fails. It doesn’t work in other clients. It only works by embedding the username and password into the URL and loading it in a web browser or loading the plain URL in the browser and authenticating interactively.
I also just tried with an XMLHttpRequest instead of a fetch() - same “401 Unauthorized”.
The next thing I’m going to try is to do it in PHP with cURL. That may work but I’d still rather be able to do it directly from Javascript.

It doesn’t work in postman either? If it were me, I’d work out the plumbing there first rather than code. I’m sure you know this, but this is what a good call in Postman looks like:

When you use a valid Epicor account and enter it that way, are you still getting a 401?

Also, this is a long shot, but I had an issue long ago where I’d use an account to authenticate with and it would work like 3 times, then it wouldn’t. It would lock the account in Epicor and I had to reset the password.

If your account password is expiring, it would probably throw a 401. I have some instructions on how to fix if you need to go down that path

Ok, figured it out- I do have more than one account password and there is both a test server and a live server. I have a password that works for the API for both and was using the one that works for test to get into Parallels but doesn’t for API access.

1 Like