has anyone used REST services V2?
I am trying to execute REST services from POSTMAN/.NET using the api-key but it doesn’t work HOWEVER if I use the same URL in a web browser it works.
if use REST services v1 with basic authentication, I can use them by using POSTMAN, Web Browser and .NET
this is an example of my URL
https://{server}/api/v2/odata/{Company}/BaqSvc/{BaqName}/Data?api-key={apiKeyValue}
I can’t speak to POSTMAN, but Excel’s ODATA driver is incompatible with V2 as it interprets the API Key differently from the way Epicor uses it. Epicor tells you to disable the need for the API key in the config file, but if you are on SaaS , they will not edit the config file for you so you are out of luck.
after try several time and research on internet, I just arrived to the conclusion that I still need to use the Basic Authentication and api-key for REST V2.
Using POSTMAN, try to use the same structure as my URL, you will get the following
401 - Unauthorized: Access is denied due to invalid credentials.
then go to Authentication and add your user and password and you will be able to get the result
now, if you remove the api-key from the URL
Example
@erzt23 You’re correct Rest v2 requires both an authorized login and an api key. Currently api keys do not map to user accounts though we may add a second api key type that does that in the future for service <-> service integrations.
Yea currently the API key isn’t really a security mechanism. More of a way to limit the scope of what objects a client can get access to once you have the credentials.
Not to be picky, but there’s authentication and authorization and both are required for security. First I need to know who you are (authentication) then I can control what you do (authorization). You really need both for security. The API-KEY improves the authorization over what is available prior to 10.2.400. Mapping API-KEYS to users or user groups would definitely give even finer control to authorization.
You might want to check out cData. They have an Epicor oData driver that we’ve used because Epicor’s native driver has so many compatibility issues with the standards, especially the SaaS hosted environments.
It got me thinking. The documentation is a bit vauge about access scope, so just in case it was a situation where no access scope is equivalent to deny all, I tried to create an access scope for all, but got the spinner of death when I tried to add all services.
I then tried recreating the API key, just in case I copied it incorrectly, and recycled the APP pool, That appeared to work.
In summary I ended up
Delete and recreate a new API key (only populating the keyid, name and decription leaving all other options as default.
Recycling the app pool
Applying the api-key into an environment variable in Postman and included basic authentication using an account that is not setup for single sign on.
To validate that I had things configured in postman correctly I executed the request using the Swagger REST API v2 web page on the app server.
So then what is the purpose of api-key if you can reach the same data without api-key only with basic authorization? I was thinking to use api-key and access scope, but if it still asks for basic auth as additional then access scope becomes usless. Or I am incorect? I am talking about excel odata feed in this case.
Hi everyone, How I can connect Version 2 with a component OData from SSIS?
MY connection is with Basic Authentication, but I dont jknow how setup url from REST Version 2, the collect cant fill the list.