Yes you absolutely don't want to hard code those in the code. You have two options:
1) have a login form which will ask for those and save them in either local variables (will have to enter login password after each page refresh) or local storage (not secure because password is available in plain text). You can try some silly endpoint like _ping to check if it returns 200 or 403 to check if credentials are valid.
2) use web sessions and store session information in cookies. Here you can use usual iris login page to authenticate, but it's not rest best practices because use of session is discouraged
Or 3) set up and implement jwt authentication as described in documentation https://docs.intersystems.com/iris20242/csp/docbook/DocBook.UI.Page.cls?...
I'd say from my experience, best for security and production use is 3, most people implement 2, and 1 is only good for prototyping/experiments because it's not secure
That's an ambitious plan for sure! I also recommend the demos&drinks event, you can learn a lot of stuff you don't even have an idea you wanted to know about before you see it :) . See you there!
Hi Evgeny,
In my opinion, the best approach is to divide API endpoints into multiple subclasses using Forward functionality. See for example an implementation of %Api.InteropEditors class in %SYS namespace, it showcases how OpenApi can be implemented with Forward functionality