A word of warning!

All of the settings mentioned in these pages are found in the Administrator tab > Security.

When you enter these pages you will see this warning:

Please take this seriously - if you disable filters in the web service, you could open up all content in Pure to web service users.

Access limitation

There are two types of access limitation for the Pure web service: username/password (this can be used to limit access to documentation and endpoints) and API keys (this limits the content types the user can see in the API).

API key

API keys limits what endpoints that the key can access (e.g. research output, person, organization etc).

Your Pure administrators can create these keys in the security settings:

Some things to consider when creating API keys:

• Create a separate key for each application that needs to access Pure data, so that you can limit access to the content types needed, and can close the access if the application is no longer used.
• Give each key a good description (e.g. Intranet phone book, project data to xxx system) so that it is easy to get a overview of what systems access Pure. This will be help you when you need to notify them that a new API is available or an old one can no longer be used, before you update Pure.
• Only need access for a limited time? Then give the key an end date, and it will auto-expire.
• If you need a full copy of the data in Pure, you should create an administrator account, this will depending on the filter options open up for all content in Pure, including the confidential data. Please only use this option when absolutely necessary, as it will put the responsibility for filtering confidential content etc. on the API user.
• Please note, that if you are using an API key create as an admin key, the filters used are always those configured as authenticated even if no user name/password is provided, so you have the option for making different filter rules for administrator and non administrator accounts.

What content types do you need access to?

When you have access to a specific data type in the API, you can see all the information that is directly related to the content type, and the linking objects in Pure, but not necessarily the linked data.

Let say say you have a key (only) enabling Research Output.  

A research output	Has a number of linking data objects →	Linking to the full data object →
With Research Output access you can see this data	And this data, since it describes the state of the linked objects at the time the research output was created	But not this data, since this has more and current information on the person/journal/etc. So to access this data, you need access to the content type.

So with Research Output access you can get the name of the author at the publishing time, and information about the organizational unit association, but not information about ORCID, Title, Profile photo or any of the other data stored on the person.

In sum, you need to talk to each API user to find out which data they need from Pure to be able to setup the content types correctly on the API key.

Username and password

If you want to ensure that no one can see the online documentation or the endpoints you can use authentication by username and password.

And then enable Basic authentication as well

With this in place you can now only see the pages if you have a valid username/password for Pure.

This type of access limitation can be enabled/disabled for all the separate endpoints and documentation, but please note, that new versions of the APIs are not protected by default even if the previous version was, so you will need to update the security settings when a new major version of Pure is installed.

Please be aware that the api key restriction always applies, also to newly added web service version with new major Pure versions.