Updating a field on a Sales Order using REST API

Hello Epi Gurus,

I don’t know if I’m barking up the wrong tree but what I need to be able to do is: update a field in a Sales Order when a customer clicks a link in an email…

When our Quotes are converted to Sales Orders a confirmation email auto sends from Epicor asking the customer to confirm some details, what I’m hoping to do is insert a link or a button that they can click and when they do it will update the field/checkbox

I’m thinking I will need to do this via an API (of which I have no experience with), can anyone please point me in the right direction

Thank you

Version 10.2.400.13 - on prem

Because of the way the rest API works this can’t be done with just a link on an email
You’ll have to write your own web page that receives the request and then forwards it to the REST api

The rest API needs authorization and authentication to work

Workflow should be something like this

Epicor generates an email via BPM (or some method) the email contains a GUID maybe the sysrowid of the sales order

You write an app that responds to that link and then can authenticate against Epicor using valid credentials and api key

Then that app server side turns around and updates the field


Here’s an example of a similar facade


Thank you Sir!!, looks like I’ve got a bit of learning to do…fast

I’ve done work in the past with php, html and C# but not json

When an API authenticates does it take a licence? At the moment we are bumping on the limit with the licences that we have, do you know if it takes a data entry or a full licence or none??

If it does take a licence, what happens if we are out of licences when it tries to authenticate??

Thanks again…

This EpicCare KB article explains how Epicor consumes various license types:

License Type Utilization in Epicor ERP 10

Hello @josecgomez

Start of the dumb questions…

With the Facade, do you host it on a local server and point a tld (or a sub.tld) at it?

Then the Facade would authenticate across your local network to your Epicor server?

if not local, how would it send GETs and POSTs?

Would we have to expose our Epicor server and make it so that it only excepts requests from a 1 external IP address??

Regards Lawson

You can host the facade anywhere and yes it would communicate with your Epicor server so it may be easier if it’s in your network but in a dmz outside the internal network with no access to any internal resources (not part of your domain)

No you don’t have to expose your Epicor server all you have to do is have a path between the facade somewhere in your Dmz and the Epicor REST endpoint

With a very narrow scope of authorization via API key that only allows one BAQ to be executed via that path (or a narrow list of them)

1 Like

Jose, are there any best practice guides out there for this setup? Soon we will be doing something like this. I am not well versed in network/security so it would be nice to read up on something or talk with someone about the best practice for network/security and Epicor.

If there isn’t a best practice guide, do you know anyone with the expertise that could help consult (be it you or anyone else).


Hi Taylor,
I’m sure there are best practice guides (general ones) about DMZ setup and fire wall punch through etc. I don’t know one specifically (I could google as well as you I suppose)

From the consulting side I’d look at some of the awesome consultants and partners that are active on this forum that have proven their worth / salt and see if they can help.

Though really you need someone from a networking side and someone from the Epicor Side of the house to put a cohesive strategy together.

I’ve done both, but I got to be honest the liability of exposing your ERP to Internet is too big even for my big mouth to try and explain it in a forum.

I recommend after you set it up you hire someone that can do some Penn testing to ensure that it is hole free.

The principle is simple

Expose a Server with as little footprint / services as possible to the WAN (Https only on one specific IP / URL)
Allow only a very narrow scope of requests to come through (check the requests in the DMZ and if they aren’t exactly what you expect… reject them)

If the requests are ok, that server communicates with your in-house Epicor Server via a very narrow scope using both API keys and restrictions on EndPoint / URL

Epicor Server handles the requests and returns the responses to the DMZ box which then responds to the original client.


Thanks Jose, much appreciated.


BTW, what Jose is recommended is exactly what one would do with an Azure Web App (the public IP portion) , Azure Web API (which provides the facade to your service), and the reverse proxy mentioned in a previous thread. It is designed to set up that type of security between your web app and the Web API and the security from the Web API to your on-prem system.


@josecgomez, Thank you for your depth of insight on the topic, I don’t think it’s worthwhile me upskilling to do all aspects of what is required, I understand the concept, I think I’ll draw up a diagram of what I’ve understood from these replies and post it back here for comment, and then look for some ninjas to help

Thanks again

1 Like

Good idea

1 Like

Hello @josecgomez,

I’ve spoken to Company that maintains our firewall and security, they seem as confused as #%&@ with what we are trying to do, I don’t want to be a leech but do you have anything that would help them understand the concept (please and thank you)

The other pain in the neck factor is we have just lost our main IT guy that knew the ins and outs of the servers we have… so a few crash courses for me

Hi, this could be done creating a link into the Email to generate a response from the client, you can use that response on update the Sales Order value you want using Microsoft Power Automate with the Gateway installed into your network and Epicor Rest API.

Raul D.