Protected self-service REST APIs are used by end-users to modify their user account data. Typical examples are: modification of address information or authentication token self-management.
There are two types of protected APIs:
- Flow-based self-services
- All APIs under:
/protected/self-service
- These are flow-based self-services with all the advantages of flows.
- Access- and authorization conditions are used to protect the end-points. They are configured directly in the flow or service configs.
- Favor these services over the session-less endpoints.
- Session-less end-points
- All APIs under:
/protected/my
(plus the/secret-question
end-point directly under/protected
). - These are non-flowbased services and session-less.
- Authentication and authorization for these services are configured using the properties in the configuration group API Access Control.
- For further information, see Session-less protected REST APIs.
- If possible, use the corresponding flow-based self-services instead.