Hello everyone,
We are using web services available on RSA IGL to do some interractions with it like getting some informations of review but I missunderstood something ...
we should normally use in first step the loginUser to get the token needed to interract with the API but when i'm checking some of interfaces available on the web services, a lot of them does not need the token to be necessary for using them. If I try for example to use findUsers without the token, I get the result with users.
1) Why I can query the API without the token ?
2) It is possible to set as "needed", the token for calling them ?
Thanks for your help.
Hi Steve,
There are two authorization types for our webservices:
In your case, either you are calling the web service from a whitelisted IP address or you are allowing all connections (which is not recommended as per Security best practices). You can verify your settings from Admin > Web Services > List of IPs allowed to invoke web services.
Here is an example from my lab where I did not restrict any IP address in the White list, which means anyone can call any webservice without a token. By default you should keep this as 127.0.0.1 (localhost).