Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Securing the Pega API

Updated on April 6, 2022

To ensure the safety of Pega API credentials that are transferred through HTTP basic authentication, use TLS 1.2, a strong transport layer security, when installing your Pega application. You can also secure the Pega API by using OAuth 2.0.

This task describes how to secure the Pega API by using TLS 1.2. For information about securing the Pega API by using OAuth 2.0, see the Pega Community article Accessing the Pega API by using OAuth 2.0.
  1. Deploy your Pega application by creating and installing TLS/SSL digital certificates on your web application server for the Pega application. For instructions, see the documentation for your server.
  2. Confirm that the Pega API is configured to use TLS/SSL, which is enabled by default. On the Edit Service Package dialog box for the API service package, ensure that Requires authentication, Use TLS/SSL (REST only), and Suppress Show-HTML are selected.
  3. Test the Pega API in Dev Studio and ensure that the URL starts with https://, the connection uses TLS 1.2, and users are prompted for their Pega credentials the first time the Pega API is used in a browser session.
What to do next:

Following are some guidelines for roles and privileges that you might need to configure.

  • PegaRULES:PegaAPI role - When you create an application, explicitly add the PegaRULES:PegaAPI role to a user's access group so that the user can use the Pega API.
  • PegaRULES:PegaAPISysAdmin role - Explicitly add the PegaRULES:PegaAPISysAdmin role to a user's access group to provide access to the Pega API REST user services as a system administrator. This role is not required for other services.
  • PegaRULES:SysOpsObserver and PegaRULES:SysOpsAdministrator roles - To use the Caches, Pools, and Nodes APIs, you must have the following roles:
    • To perform GET operations, the PegaRULES:SysOpsObserver  role.
    • To perform other operations, for example, PUT, DELETE, POST, the PegaRULES:SysOpsAdministrator  role.

In addition, use cross-origin resource sharing settings in Pega Platform to control and secure the Pega API services that are embedded in your web or mobile client application. Configure these settings to permit Pega API access across domains that you trust by using the headers that you specify. You can also control the time period between preflight requests. For more information, see Creating a cross-origin resource sharing policy.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us