How can I create secure REST APIs with OutSystems?

Table of contents

  1. Basic authentication
  2. Custom
  3. Learn more

When exposing a REST API, a team can configure the service to require authentication. There are three authentication modes available:

  • None: Anyone can invoke the API without needing to authenticate;
  • Basic: To invoke the REST API, a team will need to specify a username and password on the HTTP headers of the request;
  • Custom: An organization can implement their own authentication mechanism. 

Basic authentication

To require username/password authentication in a team's REST APIs, a team has the option to add basic authentication. This is done in the visual editor by setting the 'Authentication' parameter for the service.

Once a service has basic authentication, all clients that use the API need to send the credentials on the HTTP headers of the request. If no credentials are present, OutSystems automatically sends a JSON response with an error message, which looks like:

  "Errors": [
    "Basic Authentication required."

When clients send their credentials, OutSystems makes them available as parameters. This automates much of the boilerplate code that developers need to implement authentication functionality.


Implement a custom authentication logic by using existing hooks. In this case, a team could use built-in methods to check the HTTP header and body the client sent.

Alternatively, a team can also use their own custom code to extend the built-in methods.

Learn more

Follow these links to learn more: