Secure Dynamic APIs

Overview

By default, ACE production APIs are secured and require authentication for access. To call these APIs, clients must include an Authorization header with a Bearer token in their requests:

Authorization: Bearer <your_token_here>

To enable token validation and grant access to the APIs, the ACE runtime server configuration must be properly set up. Learn how to configure the runtime

All Dynamic APIs running in production mode are protected by default. However, it is possible to expose selected APIs publicly.

To make an API public, you must explicitly enable this option by checking the "Public" checkbox during creation of API.

Configuration

There are two ways to configure the key used to validate a JWT token - manual or remote.

All configuration variables are optional, but it is strongly recommended to provide issuer and audience along the other necessary variables.

Manual

Required variables for manual configuration - ACE_JWT_VALIDATION_SECRET and ACE_JWT_VALIDATION_ALGORITHM.

When manual option is used user needs to provide secret or public key by configuring ACE_JWT_VALIDATION_SECRET variable.

Remote

Required variables for manual configuration - ACE_JWT_VALIDATION_OPENID_ISSUER.

When remote option is used user needs to provide OpenID issuer URL by configuring ACE_JWT_VALIDATION_OPENID_ISSUER variable. If ACE_JWT_VALIDATION_ALGORITHM is set it will be used, but if it is not set code will try to retrieve algorithm from retrieved JWK.

note

The URL used to retrieve the key is ${ACE_JWT_VALIDATION_OPENID_ISSUER}/.well-known/openid-configuration