Docs‎ > ‎API Creator‎ > ‎


You can control data access down to the row and column-instance level by configuring security in API Creator.

API Creator provides:
  • Authorization. To control what rows and columns a user can see and change.

For more information:

  • About viewing an illustration of a basic custom authentication provider, see the Business to Business Example.
  • About how to effectively use the security services, including how to use authentication and authorization and security concepts, see the Security Examples.
To view a video that describes the concepts and operations for declarative security, see Videos.

Admin vs. App Security

Admin security is authentication with "root privilege" to the system (for example, admin account). Such users can alter logic and define security.

For more information:

App security defines who can access the API (the data, such as by Live Browser), and what the user is authorized to do. Such users do not have access to the definitions of security, resources, and logic.

Security Workflow

The following workflow provides an overview of security:
  1. Owners/Administrators define role permissions and custom auth providers in API Server, which stores them in the admin database.
  2. Applications post credentials to a special end point (@authentication) to obtain an Auth Token ID. An Auth Token typically represents an authorized user, and defines the set of roles to which the user is authorized.
    For more information about the roles assigned to the auth token, see Authorization.
  3. The API Server invokes the custom authentication provider:
    • The default authentication providers looks up users defined in API Creator. This is most appropriate for development.
    • Your custom authentication provider is passed the credentials, such as the name and password, and obtains of set of authorized roles by looking it up in your available and configured identity provider, such as LDAP, Active Directory, or OAuth.
  4. The API Server creates an auth token containing the roles and globals and stores these in the Admin database. The auth token is available to all API Server nodes in a cluster.
  5. The Auth Token ID is returned to the client, who passes it in the header of subsequent requests; the API Server uses it to enforce role permissions.


Roles define permissions for table access. There are usually far fewer roles than users, so roles make administration much simpler than assigning authorization directly to users.

Permissions include both Predicates for row access, columns, and access type to determine the operations allowed. A role is authorized to the union of its permissions, and an auth token is an authorized union of its role-based permissions.

For more information:

  • About controlling access to REST endpoints using roles, including how to define a global, see Roles.
  • About globals, see Authorization.

Communications Security

API Creator provides options for https-based communications.

Service Connectivity

Your your authentication provider provides service connectivity. For further control, API Creator provides options to deploy services within a private cloud.

Cross Origin Resource Sharing (CORS)

Unless specifically authorized, JavaScript code can only access the site it was loaded from. This is designed to prevent a malicious site from accessing servers open on other tabs (e.g., your bank). CORS is the mechanism to enforce this restriction.

API Creator security is equipped to protect itself against such attacks, so we provide an HTTP header which stipulates that calls from any JavaScript app (e.g., another tab in your Browser) are accepted.

Database Connection Security

API Creator requires access to your database. Your information is protected by both encryption and salting, using industry standards.

There are two common database location scenarios:
  • Cloud database. It is becoming the common practice to deploy databases in the cloud, for automated maintenance and administration. To minimize latency, select an API Creator Service on the same cloud provider and region as your database.

    If your organization requires advanced security, provide API Server in your private cloud.

  • On-premises database. Where services are required for a database already deployed behind your firewall, contact your network administrator to authorize access by the API Creator. The basic approach is to open a port in your firewall for your database. For on-premises databases, you will need the public cloud IP address of your API Server.

    If your organization has rigid security requirements, configure an on-premises API Server. This will generally not include elastic support to dynamically add servers.

More Information

For more information, see: