Contents x
API and Authentication
  • 03 Feb 2025
  • 3 Minutes to read
  • Print
  • Dark
    Light
Contents

API and Authentication

  • Updated on 03 Feb 2025
  • 3 Minutes to read
  • Print
  • Dark
    Light
Article summary

The most common use case of the Decisions API is running Rules and Flows through a Rest Service call. However, the API can be used for other functions such as provisioning users, setting up folders or projects, setting branding, and more.

Authenticating to Decisions API

There are two primary ways to authenticate to Decisions API; using the authentication information provided by the View Integration Details page or providing authentication information in the HTTP Header.

Authentication information is required to call Decisions via API. This allows Decisions to grant access, check authorizations for specific activities, govern access to specific data, and audit the actions taken in the product.

Calling methods without the proper authentication information results in a 403, Forbidden Error.

View Integrations Details Page

The View Integrations Details page allows users to set parameters and obtain the appropriate GET or POST request types to execute a task. 

Request TypeDescription
GETAuthentication information is provided in the request URL
POSTAuthentication information is included as part of the POST body


Request Header Authentication

Users have the option to add authentication information in the Request Header. By using this option, users do not need to provide the authentication information in the URL or POST body. Instead, provide the information in the Request Header's Authorization field option.

 The Header values for the request will be different based on the type of authorization type.

Authorization TypeInput PassedExample Header
BasicUsername and Password encoded string (Base 64 Encode of "username:password", e.g., Base 64 encode of 'admin@decisions.com:admin') combined with a colon character"Authorization":"Basic YWRtaW5AZGVjaXNpb25zLmNvbTphZG1pbg=="
SessionSessionID or NamedSessionID"Authorization":"SessionID {SessionID or Named Session ID}"
BearerJWT Token"Authorization":"Bearer {JWTTOKEN}"

Basic Authorization Type

Username and Password are passed to the services as a Basic Authorization and should only be used for simple, periodic API calls. In most API uses, the username and password are used to create a Session for subsequent calls.

To programmatically send the User id and Password, combine them with a colon (:) character and then base64 encode the result. This is placed in the Header with the Basic’ keyword.

string merged = $"{userName}:{userPassword}";
string toSend = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(merged));
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", toSend));
client.GetAsync(“http://localhost:8081/Primary/restapi/Flow/2474ea6a-5472-11ec-8c48-803253078da6?”);



Session Authorization Type

A SessionID will be returned by utilizing the following API call. 

URL:"http://[baseportalURL]/Primary/REST/AccountService/LoginUser"
Post Body: { "outputtype" : "Json" }
Http Header: Authorization: Basic (Base64 String as described above)

JWT Authorization Type

Authorization using Decisions Native JWT

To configure and use a Decisions native JWT Token, refer to the article How to Set Up and Use JWT

Authorization using External OAuth JWT

Note: This feature is available only in v9.7 and above.

If using an External OAuth, JWT users must configure the JWT Access on the platform at System > Security > JWT Access.

Setting NameDescription
NameA user-defined name to create an entity
Issuer(iss)

This specifies the expected issuer of the JWT, such as https://auth.example.com. This ensures that only tokens issued by the trusted IdP are accepted, preventing unauthorized tokens from being used in API requests.

Audience (aud)

This defines the expected audience value in the JWT. This guarantees that the token is issued specifically for the Decisions API, preventing its misuse by other applications. If the audience claim in the token does not match the configured value, authentication will fail.

JWK Source

This defines how Decisions retrieves the JSON Web Key (JWK) for token validation. The JWK contains the cryptographic keys used to verify the JWT signature.

  • Fetch from URL: Fetch public keys dynamically from a given URL (e.g., from the IdP's JWKS endpoint).
  • JWKS String: Use a static JSON Web Key Set (JWKS) string provided by the user.
  • Single JWK String: Use a single public key (JWK) manually entered by the user for validation.
User ID TypeThis determines how Decisions identifies users from the JWT for authentication and authorization:
  • Get Email Address from JWT: Extracts the email address from the token's claims and maps it to a corresponding Decisions user.
  • Get User Identifier from JWT: Uses a unique identifier (such as sub or uid) from the token to map to a Decisions user.
  • Use Specific Account: Allows to pick an already existing Decisions native account to authenticate.

Once the JWT token has been acquired, API calls can be achieved by using the Bearer Authorization Type.

URL: http://[portalbaseURL]/Primary/?[DesignerElement]ID=[DesignerElementIDValue]&Action=api&outputtype=JSON

Http Header: Authorization: Bearer (JWT token)


Request Cookies on API Calls

On API calls, Decisions uses the following headers and cookies: 

Cookie NameDescription
Decisions.AuthAllows a user to stay logged in after authentication
SessionValuePassed in on calls to connect actions to an account
ClientEventSessionIdUnique ID to each open tab of Decisions (not the same as the SessionID)
formSessionInfoIdID related to the currently running Form

Feature Changes

DescriptionVersionRelease DateDeveloper Task
Added the ability to call the Decisions APIs using OAuth JWT9.7February 2025[DT-042083]
For further information on Integrations, visit the Decisions Forum.
Was this article helpful?
What's Next
Decisions
Resources
Organization
Connect