ACUMATICA

Acumatica REST API Authentication

February 5, 2024 11 min read

Introduction

Securing your Acumatica REST API is critical. This guide covers the different authentication methods available in Acumatica and how to implement them securely.

OAuth 2.0 Authentication

OAuth 2.0 is the recommended authentication method for Acumatica:

// Step 1: Get Authorization Code
GET /oauth/authorize?
    response_type=code
    &client_id=YOUR_CLIENT_ID
    &redirect_uri=YOUR_REDIRECT_URI
    &scope=api

// Step 2: Exchange Code for Token
POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTHORIZATION_CODE
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&redirect_uri=YOUR_REDIRECT_URI
// Response
{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "def50200a1b2c3d4..."
}

API Key Authentication

For simpler integrations, API keys can be used:

// Using API Key in Header
GET /api/data/AR303000
Authorization: Basic Base64(client_id:client_secret)

Session-Based Auth

For browser-based integrations:

// Login Request
POST /api/auth/login
Content-Type: application/json

{
    "company": "YOUR_COMPANY",
    "username": "API_USER",
    "password": "PASSWORD"
}

// Response includes session cookie
Set-Cookie: .ASPXAUTH=token; path=/

Code Examples

class AcumaticaAuth
{
    private $baseUrl;
    private $clientId;
    private $clientSecret;
    private $accessToken;
    
    public function authenticate()
    {
        $response = $this->post('/oauth/token', [
            'grant_type' => 'client_credentials',
            'client_id' => $this->clientId,
            'client_secret' => $this->clientSecret,
            'scope' => 'api'
        ]);
        
        $this->accessToken = $response['access_token'];
    }
    
    public function makeRequest($endpoint, $method = 'GET', $data = null)
    {
        $headers = [
            'Authorization: Bearer ' . $this->accessToken,
            'Content-Type: application/json'
        ];
        
        return $this->request($endpoint, $method, $data, $headers);
    }
}

Security Best Practices

  • Use HTTPS - Always encrypt API communications
  • Rotate Secrets - Change API keys periodically
  • Use Least Privilege - Grant minimum required permissions
  • Token Expiration - Handle token refresh properly
  • Audit Logs - Monitor API access patterns

Summary

Acumatica provides multiple authentication methods to suit different integration scenarios. OAuth 2.0 is recommended for most modern applications.

For more details, see our REST API Integration Guide.