Data API - access is completely open

I have set up my app so that access to the data via API is enabled. This is working fine but then I should test what happens if I don’t use the token in my API calls - to my surprise, it is still working, i.e. it is completely open to anyone.

Here are the details:

App Settings/Privacy/exposes a Data API ticked:

Data/Privacy settings:

I accept that for the role svx_test having current user not empty is not particularly restrictive, yet I was still expecting that the private token would be expected in the header of the request. I modified the value of the token in the header and it still works via Postman, I then made a call from a Python script without any token in the request and it still works…

Why is the token not required?

If you are returning data from a workflow, check if authentication is required. If you are accessing DATA API directly for an object, ‘current user is not empty’ sounds insufficient. It can be current user is logged in or another field that indicates authentication status.

thanks @neerja - it is for data - and yes if I change the condition for the data role to be something like Current user is logged in then the api calls won’t return data if there is no login first. However, I’m still puzzled as to when the token comes into play.

maybe the token only applies to workflow api calls?

ok so I have worked out where I was going wrong: the authorization header was in the incorrect format, so it would have never worked anyway. Once I fix this and then change the role to be for a logged in user all is good - modifying the token to be incorrect generates a response of invalid token.

1 Like