Deprecating Support for Authtokens and URI model in REST API's

Dear Users,

We would deprecating support for Authtokens and URI model in REST API's of ServiceDesk Plus Cloud.

Deprecating AuthTokens in SDP Cloud:

SDP Cloud REST APIs supports two types of authentication, AuthToken and OAUTH. Of these, OAUTH is more secure and follows well defined standards. AuthTokens on the other hand do not have any well defined standards, do not have expiry and no support for delegated access. In short, they are less secure and must not be used going forward.

We would start deprecate the support for AuthToken based authentication for our REST APIs in a staged manner. From November 30th, users will not be able to generate new AuthToken. Already generated AuthToken will continue to work. From January 15, 2021, we will remove support for AuthTokens and users won't be able to use the already generated tokens for accessing REST APIs.

We recommend our users to move to our OAuth based authentication. OAuth is the industry standard protocol for client authentication. To get an idea on how to use OAuth with the SDP Cloud Rest APIs, please refer this document.

If you've used ServiceDesk Plus Cloud's APIs to build web-based applications, self-client applications, custom functions, marketplace apps, or third-party apps, then you need to switch to OAuth authorization flow.

Deprecating URI Model:

In SDP Cloud v3 version of REST APIs, we support special operations that can be invoked over entities. For instance, the pickup operation on a request is nothing but an edit operation where only the technician field is updated. Traditionally, users must invoke the edit API of request and pass the current user's ID. In SDP Cloud we support a special URL for such convenience operations. The operations can be performed by accessing the URIs,

/api/v3/requests/<id>/assign
/api/v3/requests/<id>/_assign

Here, the "assign" at the end is the convenience operation. As you can see, the difference between both of the URIs is the underscore present at the start of assign token. This underscore ('_') helps to identify the name of the invoked operation.

We are be deprecating the ambiguous operations URIs without underscore. Support for this URIs will be removed after January 15, 2021. Any invalid URL that will be accessed after the fore mentioned date will return a 404 error code.

PRO TIP: SDP Cloud APIs has HATEOAS implemented as a core component. Simply put, HATEOAS , provides a standard way for clients to discover the actions and operations offered by a resource/entity. HATEOAS will always return operations for which an user has authorization. This eliminates the need in clients to check if a particular operation is allowed for an user.

HATEOAS for an entity/resource can be accessed with the following URI,

/api/v3/<resource-name>/_links
/api/v3/<resource-name>/<id>/_links

Below is a sample HATEOAS response of the _links operation for the "request" entity. The links section provides the details of the operations like, unique name of the operation, the HTTP method to be used as well as the URL (href) to be invoked. We recommend users to identify the operation by it's name and fetch the URL

{
"response_status": [{
"status_code": 2000,
"status": "success"
}],
"_links": [{
"method": "post",
"non_editable_fields": [],
"name": "add",
"href": "/requests"
}, {
"method": "put",
"name": "pickup",
"href": "/requests/_pickup"
}, {
"method": "put",
"name": "close",
"href": "/requests/_close"
}]
}

We understand that these changes might interrupt your operations, but we urge you to see this as an opportunity to up your security game and provide better, more secure support to all your customers.

Should you have any queries, drop us mail at servicedeskplus-cloud-support@manageengine.com.

Thanks and Regards,

Saravana Balaji

ServiceDesk Plus Cloud