Authentication

When the service runs as an authenticated user, the external application sending the request must include the username and password of an Operator ID in the request. The external application can send these values either in an HTTP header, or appended to the URL as name/value pairs for the parameters UserIdentifier and Password. The value of the password must be base64-encoded.

Stateful sessions

When the session state in a service package is set to Stateful, the service returns a cookie in the response with the Set-Cookie HTTP header. The cookie contains the Requestor ID of the requestor that processed the first request, with the prefix "PegaRULES." For another request to access the same session data, the external application must include the PegaRULES cookie in the header of that request.

Custom cookies and stateful sessions

A response can contain only one Set-Cookie header. If a Set-Cookie is set in the data mapping on the Response tab, the Pega Platform does not set the PegaRULES cookie for you. So if the services run in a stateful session and you need to return custom cookies, your rules are also responsible for constructing the PegaRULES cookie.

Create the cookie string by concatenating all the cookies to be sent, including the PegaRULES cookie, into one string. The value of the PegaRULES cookie must be the requestor ID. For example: PegaRULES=H40F706525721982DE3C8530D6DC64FCD.

Get the value of the requestor ID from the pzRequestorId property on the pxRequestor page, which is always present on the clipboard. This can be accomplished either by having the service activity set a clipboard property, or through a Rule-Utility-Function. Then, use the Response tab to configure a Set-Cookie header that contains the string with the values of all the cookies.