APEX Basic REST authentication

To prevent unauthorized access to your REST modules, APEX provides an easy, declarative way of adding basic authentication. This method utilizes APEX user accounts and RESTful Service Privileges. In order not to expose passwords, you should make sure to enable SSL/HTTPS!

First edit an existing APEX user account, and add the RESTful Services group to that user.  In our example we’ll edit the APEX user SCOTT. To do this, navigate to Manage Users and Groups in the workspace where your REST modules are, edit a user, and assign the group in the Group Assignments region:


Next create the RESTful Service Privilege by navigating to RESTful Services in the SQL Workshop. In the Tasks sidebar on the right, click the RESTful Service Privilege link.


Fill out the form and select the modules you want to protect, by shuttling them to the right in Protected Modules.


That’s it! Everything under the selected module now requires the username and password of the APEX user. You can test this with the following curl command (edit URI as needed):

curl -u scott:tiger http://servername/ords/workspace/hr/empinfo/

When testing with Postman, choose the Basic Auth from the authentication select list and enter the APEX user’s username and password.



8 thoughts on “APEX Basic REST authentication

  • July 28, 2017 at 8:17 am

    … providing you had register SCOTT previously as a user at ORDS level. This is what emerges from my tests.

  • July 28, 2017 at 9:25 am

    are you using ORDS or embedded gateway? With standalone ORDS, I did again tests on my side, but I get a Unauthorized 401 If I just create a new user at APEX level, although I follow your cookbook.

  • July 31, 2017 at 11:14 am

    Hi Christoph,

    There should be a big warning at the top of this post: Only use basic authentication when SSL/HTTPS is enabled and enforced. Otherwise, you’re exposing passwords insecurely.


  • September 24, 2017 at 4:44 pm

    Hi Christoph,

    I have installed:
    Tomcat 9.0.0.M26

    And I’ve followed all your steps but still getting 401… Am I missing some extra step?

    Best regards,

  • September 25, 2017 at 11:23 am

    it is difficult to troubleshoot for me. 401 means there is something wrong with the authorization. I can only suggest double checking everything.

Comments are closed.