Hello Team,
Greetings for the day.
We have to expose data through REST API from an OutSystems Application and app has been deployed on OutSystems cloud. We have set basic authentication to the REST API but using basic authentication users will be able to access the API from their personal devices as well if they know credentials.
How can we avoid this security risk?
Can we set up VPN connection specifically for REST API access in OutSystems Application?
If we set up VPN on REST API level in Outsystems Application,
can we access the UI flow and rest of the application without VPN connectivity?
will it impact on accessing service center and lifetime?
Our end goal is to expose the REST API through VPN connectivity to expose the data securely to other systems.Note:Please suggest secure ways to expose API apart from basic and custom authentication.
Regards,
Ajit Kurane.
Hi Ajit,
To securely expose a REST API in an OutSystems Cloud application, while ensuring access is limited to authorized systems and not end-user devices, below are the recommended approaches and detailed responses to your questions:
Can we set up a VPN connection specifically for REST API access?
OutSystems Cloud does not support configuring VPN access at the individual module level (such as just for REST APIs). However, you can request a VPN or private link between the OutSystems Cloud and your on-premises or external cloud systems. This setup is typically referred to as Hybrid Connectivity or Private Network Peering and is managed by OutSystems Support.
This configuration allows only clients within your VPN-connected network (e.g., internal servers) to access the REST API, effectively blocking access from personal or unauthorized devices.
Note: VPN connectivity is generally a premium feature and must be requested via OutSystems Support.
Network-Level Protection Options:
If you're currently using Basic Authentication, you can enhance security by applying additional network restrictions:
IP Whitelisting: Restrict access to the API to specific static IP addresses. Available on Enterprise plans, this is a straightforward way to block access from unapproved sources.
API Management Gateway (e.g., Azure API Management, AWS API Gateway):
Acts as a security layer in front of your OutSystems REST API.
Enables enforcement of policies such as OAuth 2.0, API keys, IP whitelisting, rate limiting, and JWT validation.
Can be hosted within your own network, optionally requiring VPN access for API consumption.
Q1: Can we access the UI and other parts of the application without VPN?
Yes. If the VPN is scoped to specific endpoints or subnets (e.g., just the REST API), the rest of the application, including the user interface can remain publicly accessible or protected by standard login mechanisms.
To achieve this, consider modularizing your application so the API is deployed in a separate module or service, isolated from the main UI.
Q2: Will VPN access impact Service Center or LifeTime?
No. VPN configurations that apply to application-level traffic do not affect access to OutSystems administrative tools like Service Center or LifeTime. These tools are hosted separately by OutSystems and are accessed via different domains.
Recommended Secure Architecture
To protect your REST API while ensuring ease of access for legitimate users, consider the following design:
Isolate the REST API in a separate module within the application.
Secure the API using:
OAuth 2.0 client credentials (recommended), or
Mutual TLS (mTLS) for strong identity verification.
IP whitelisting for additional protection.
Use an API Gateway, such as:
Azure API Management
AWS API Gateway with VPC Link
Apigee or Kong Gateway
Set up a VPN or private network link between OutSystems Cloud and your internal systems (optional, for enhanced security).
Keep the application’s UI (web or mobile) publicly accessible, but protected through secure authentication (e.g., login via OutSystems user management or SSO).
This approach ensures your REST API is accessible only from trusted systems, while still providing a smooth user experience for UI-based access and maintaining admin tool availability.