API management for 3rd party data consumers

We want to expose certain BAQ data to a third party but I do not want them to be calling the Epicor API directly. I know that recently BAQ security on API was exposed to limit what a user can call, but I am not at that upgade yet.
My initial thought was to create a Web API that then calls the specific BAQ and returns the data to the caller. The issue I see is maintainability.
Is there a preferred or better method to do what I’m attempting, which is essentially a simple API to call another API?

1 Like

We do this we created an intermediate service with a WhiteListed list of BAQ’s that can be called and gave them private token they must send in with their request which we validate against a UD table.

2 Likes

Does that mean you also wrote the intermediate service or was there some other tool utilized to manage that?

I wrote the intermediate service
using .net core web api pretty straight forward nothing fancy just a way to shield the rest of the Epicor API and restrict access.

2 Likes

Maintenance can be an issue but we wrote it with this in mind so we can dynamically change which BAQ’s are allowed and generate “new tokens” which allow certain BAQ’s to run.
Basically this

and of-course we can delete / revoke the token at any time.

4 Likes

Any reason you went with .Net Core Web API vs standard .Net Web API?

Docker support :smiley:
Also cross platform portability etc

1 Like

I can put it on GitHub if anyone wants to play with it ¯_(ツ)_/¯

4 Likes

I, for one, would appreciate it. TBH the hardest part of my job is being the only developer so I don’t know what I don’t know, you know? :slight_smile:

2 Likes

Is there any overlap with REST v2 API-Keys in 10.2.400?

Kinda with API keys I believe you still need access scope and I’m not sure if access scope can be tied to specific BAQs only?
So maybe?

Not sure either but access tokens like this will be needed for v1 regardless. Thanks for sharing the library!

1 Like

See / Clone Project Here

NOTE:
I AM NOT SAYING THIS IS THE END ALL BE ALL OR THAT THIS WILL EVEN WORK OR THAT IT WILL SECURE ANYTHING. THIS IS JUST AN EXAMPLE OF WHAT WE ARE USING INTERNALLY AND ALTHOUGH WE HAVE DONE SOME TESTING I STRIPPED SOME THINGS OUT (PERTINENT TO OUR BUSINESS) WHICH SHOULD HAVE NO IMPACT ON IT HOWEVER.
I CANNOT AND WILL NOT GUARANTEE THIS TO WORK AND I WILL NOT AND CANNOT TAKE ANY RESPONSIBILITY IF YOU USE THIS AND YOUR STUFF GETS HACKED!
THIS IS PROVIDED AS IS

Now… enjoy!

8 Likes

Much appreciated, love the disclaimer :sweat_smile:

LoL #CYA, if you have issues getting it going let me know

1 Like

In summary “Safe Harbor”

1 Like

Did you look at this any yet @Aaron_Moreng?
Just curious if it worked for you.

Hey not yet, I started a new .NET Core Web API project and was sidetracked.
Feels like cheating if I just copy your project though! :slight_smile:

I’ll work on it and report back

bahaha way to use git properly… SIGH

LMAO jk :laughing:

ok cool let me know what you find

Implying I know how to use git properly :wink: