. . .

Auth and Security

Implement basic authentication or OAuth for end-users and developers to control data access on a class and object level.

ApiOmat gives you complete control over two entities, app end-users and developers. Both can authenticate with ApiOmat's built-in feature or using an external OAuth service and can be granted specific access to data. Configure individual roles for each backend in ApiOmat and grant developers access to only the essential project components.

Relevant Links: Access Control Lists | User Management | OAuth2 | Authentication Classes | Dynamic Roles | LDAP | SAML

Key Capabilities

Basic Authentication

Without any configuration the default auth mechanism provides basic security out of the box


More complex auth mechanisms can be used for more convenience (e.g. Single-Sign-On) or higher security (e.g. with expiring tokens)

Access Control Lists

Use pre-defined or create custom roles for end-users and assign CRUD rights to these roles on class or even object level

Developer Roles

Grant other backend developers the right to change or just view your data model, to just download the SDKs for your backend or view your backend data

Authentication Classes

Native Modules can contain specific classes that can contain fully customized authentication logic and optionally be used for authentication ApiOmat-wide (not just in that Module)

Dynamic Roles

Native Modules can contain specific classes that can contain fully customized authorization logic and optionally be used for authorization ApiOmat-wide (not just in that Module)


An ApiOmat admin can define contracts which a developer has to accept in order to gain access

How it works

Authentication and authorization are divided into two groups of people: end-users and developers. An end-user is a person that uses an ApiOmat backended app. A developer is a person who created the backend on ApiOmat and who has access to the Dashboard.


End-user objects can be created with a registration form in your app or via REST API, which enables an end-user to send requests to your backend, all while being protected by basic authentication. You can also fetch OAuth2 tokens for those users in an app and use token-based authentication.

You don't have to create the user objects explicitly. Instead, you can use the LDAP module to sync users with an LDAP directory or use SAML for Single-Sign-On.

A user's access to data can be restricted by pre-defined roles, custom roles or complete custom implementations. For example, you can grant read access to the class "MyClass" to all app users, but write access only to the owners of the objects. You can also create custom roles like "Team lead" or "build server" and grant CRUD rights to those roles. Complete custom implementations let you fetch role data from a 3rd party system for example.

You can also create custom authentication classes where you have full control over the authentication and authorization mechanism. For example, if you already have a user database and a web service in front of it, you could implement an auth class that sends requests to that web service to authenticate the requests to ApiOmat. The LDAP module works in a similar way.

When developing a web application, it may come in handy that you can also define the allowed Origins for Cross-Origin-Requests.


Especially when working in a team, you might want to grant other developers access to your backend's metadata and data. You can do this on a fine-granular level.

Also, when external developers are part of your team, you can use ApiOmat's contract feature to require them to sign a contract before they gain access to ApiOmat.