RESTfm supports HTTP basic access authentication and API key access.

It is recommended that HTTPS (SSL/TLS) is used when accessing RESTfm to ensure that authentication credentials are encrypted and cannot be intercepted by snooping on the network traffic.

Failure to provide appropriate authentication credentials will result in RESTfm responding with HTTP error 401 Unauthorized (or 403 Forbidden for non-html formats).

Basic access authentication

Basic access authentication (a.k.a HTTP Basic Auth) allows FileMaker database account credentials to be used over HTTP when authenticating with RESTfm. The account must have the PHP Web Publishing privilege enabled. Wikipedia article on basic access authentication.

Note: Web browsers can only authenticate when using .html format

When using a web browser with RESTfm (which is a very useful tool during development)  authentication is only possible when using the .html format. Once successfully authenticated, the browser caches the credentials, and the format may be changed.This only applies to web browsers, and only when 'forbiddenOnUnauthorized' is set to TRUE in RESTfm.ini.php (which is the default).

API keys

API keys may be used to give access to RESTfm resources without exposing the original account username and password needed to authenticate with the FileMaker Server backend.

API keys may be added to the RESTfm.ini.php configuration file. Each key is associated with a username + password pair. A good API key is a long (> 10 characters) string of random characters and is URL friendly (i.e. no "special" characters).

Query string parameter

RFMkey=<key> Use the provided API key for authentication.

API key as username in basic access authentication

An alternate method to transmit the API key is to set it as the username when using basic access authentication. The password will be ignored.

Security considerations

SSL will encrypt the API key using either transmission method, but the webserver may write the key to it's log file if it is sent as a query string parameter.

The API key has the same level of access as the username + password it is associated with.