Basic authentication is now fully controlled by the trusted applications (v.22, breaking change)

Unlike the versions before 2022, when basic authentication was (kind of) enabled by default, now the situation is quite different.

  • Basic authentication now "lives" in the context of a trusted application.
  • Basic authentication must be explicitly enabled per trusted application.
  • Authentication via /Login (and /Logout) endpoints (a.k.a. ErpSession) is now treated as basic authentication.
  • Domain API access via ErpSession must corresponds to a specific trusted application.
  • Trusted applications with system user set as the built-in <SYSTEM> account don't allow basic authentication.

Does this change affect me?

Yes it does if,

  • You are using basic authentication, not bound to a specific trusted application.
  • Your trusted application is not configured to meet the requirements:
    • Allows basic authentication.
    • Have a specific system user set.

What to do if this change affects me?

Depending on the particular case, may be necessary:

  • To create a trusted application, corresponding to your external one.
  • To configure an existing trusted application (e.g. to allow basic authentication).
  • If using ErpSession, to specify the exact trusted application uri in the body in your /Login POST request. E.g.,
    "user": "developer",
    "pass": "a-very-strong-password",
    "app": "my-external-app"



More information is available in our official documentation:

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk