New Admins: Register for our new Pure Lecture Series!
Pure's logos
Pure Help Center for Pure Administrators

If you are a researcher, or other non-admin at your institution, click here.

  • Home
  • Announcements
  • Release Notes
  • Technical user guides
  • Training
  • Events
  • Support
  • Contact Us
  • Home
  • Training
  • Technical user guides
  • Pure API

How Can We Help?

Search Results

Filter By Category

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Contact us

AuthorizationAuthorization

Authorization in the Pure API is the act of validating that a request only invokes an operation and only fetches or affects data as permitted by the definition of the API key used for the request. Authorization is applied on multiple levels in the Pure API. Endpoint-level authorization ensures that only operations in endpoints allowed for by the current API key can be used, operation-level authorization ensures that only select kinds of operations are allowed to execute, etc.

 

Read more about managing and configuring API keys in the API keys section.

 

Pure kernel restrictions

All applications of Pure run on top of a common Pure kernel. As a result, the Pure API is always limited by the built-in security mechanisms of the Pure kernel. The Pure kernel authorizes access to functionality in Pure based on the currently authenticated user. In the 'admin' Pure application, the currently authenticated user originates from an end-user logging in or a job being configured to run in context of a specific user. In the Pure API, the API key authenticates its associated user for the duration of a request. In effect, a request to the Pure API cannot exceed the bounds of what the user associated with the API key is allowed to do.

 

Pure logs who does what in the form of audit entries. Each logged audit entry is tagged with the username of the currently authenticated user.

Pure API restrictions

The Pure API supplements the low-level security mechanism of the Pure kernel with a number of ways to further narrow down what is permitted; you cannot configure an API key to allow more than what is possible using its associated user. E.g., if the user associated with an API key cannot delete persons then no part of the Pure API will succeed in deleting persons.

The following table lists the various aspects of the Pure API that can be further locked down using an API key definition and its associated access definition:

Guarded level Determined by Description Example
Endpoint Endpoints allowed for by API key Allow only use of operations in select endpoints. You will be able to invoke GET /research-outputs, but not GET /persons, when /research-outputs/* is the only endpoint added to the current API key.
Operation Access mode per type on access definition of API key

Allow only use of operations that writes, per endpoint, sub-resources included. Invocation of an operation that writes is allowed if at least one field of the type handled by its endpoint allows Read and write. Generally, operations that require PUT or DELETE require Read and write configured for Access mode.

Invocation of an operation that only reads is not affected by Access mode.

You will be able to invoke GET /organizations, but not PUT /organizations, when the access definition of the current API key has Access mode set to Read-only for name on Organization.
Objects Filtering enabled on access definition of API key Allow only access to objects and details thereof let through by filtering. You will be able to fetch a research output content item with visibility set to FREE, but not one with visibility set to BACKEND, when you use an API key where its access definition has the Filter non-visible content filter enabled.

Fields

 

Field access allowed for by access definition of API key Allow only select fields to be read, and only allow values of select fields to be applied during updates. Referred to as "API field filtering". You will get the abstract, title and uuid fields of a book anthology populated, but not other fields, such as volume, when you use an API key where its access definition has the abstract, title and uuid selected for ResearchOutput under Types and fields.
Filtering enabled using Content filters on access definition of API key Allow only access to fetch field values let through by filtering. You will only get the English abstracts of research output populated if such abstracts have been licensed for external use when you use an API key where its access definition has Filter fields on content with external licensing among its Content filters enabled.
Metrics Filter access allowed for metric collections by access definition of API key. Access to endpoint of owning object also required.

Allow only selected metric collections to be read.

 

Read more about working with metric collections in the Metrics section.

 

You will be able to fetch values of the h-index metric collection using the Person endpoint when you use an API key where its access definition has hIndex selected under Metrics for the Person type.

 

 

Published at February 20, 2024

Download
Table of Contents
  1. Pure kernel restrictions
  2. Pure API restrictions
Related Articles
  • API keys
  • Pure API: Inspiration
  • Pure API Roadmap / Resource catalog

Was this article helpful?

Yes
No
Give feedback about this article

    About Pure

  • Announcements

    Additional Support

  • Events
  • Client Community
  • Training

    Need Help?

  • Contact Us
  • Submit a Support Case
  • My Cases
  • Linkedin
  • Twitter
  • Facebook
  • Youtube
Elsevier logo Relx logo

Copyright © 2025 Elsevier, except certain content provided by third parties.

  • Terms & Conditions Terms & Conditions
  • Privacy policyPrivacy policy
  • AccesibilityAccesibility
  • Cookie SettingsCookie Settings
  • Log in to Pure Help CenterLog in to Helpjuice Center

Knowledge Base Software powered by Helpjuice

Expand