REST server authentication

I’m creating a small server which exposes a REST API using the HttpAPI stuff.

Rather than using regular login/logout authentication with sessions, I’d rather make the server completely stateless and just use a pre-shared key/secret to “authenticate” each of my REST methods.

So, similar to what happens with regular sessions where the GUID is placed in the ApiKey header of the REST calls, I want to do the same but just supply a known pre-shared value for this header and somehow check/authenticate this on the server in each function.

Basically each instance of this server will only ever be accessed by a single client so I don’t want the overhead/faff of logging in and out and dealing with sessions and expiry and so forth. The functions are all effectively stateless and don’t need any sessions.

Any ideas of how I might go about this?


I assume you are using Delphi.

I can suggest to use two ways:

Thanks, the second option looks cleaner but is there any documentation about how the HttpAPI authentication stuff works?

I’m currently using the TROHttpApiSimpleAuthenticationManager, can I just use this as a template for my own but change the ReadAuthenticationInfo method to check the supplied Access-Token header against a known value?

I’m trying to wrap my head around how it actually works but I don’t understand what this ReadAuthenticationInfo method is doing. It seems to just create a TROHttpApiSession object but that appears to be little more than a class that just holds a couple of values. I can’t figure out how/where the actual sessions are checked.

Experimenting a bit more.

I’ve created a test server with a single method in a service which doesn’t require sessions. I’m using the TROHttpApiSimpleAuthentication manager.

I then try calling the method from Postman. If I put a random GUID into the Access-Token header then it works fine. If I leave it blank however, then I get a 401 response back.

The difference in the ReadAuthenticationInfo function is that the latter call creates a TROHttpApiSession with a blank token and an EmptyGUID. This is presumably what then leads to the 401 error result but I don’t know how.

If I create my own authentication manager but, in the ReadAuthenticationInfo method, I just check the token header against a known GUID, what should I then create and return in terms of the TROHttpApiSession object?


How things work in case of TROHttpApiSimpleAuthenticationManager:

  • You call Login method with some parameters
  • if login is successful, session is created and it’s guid is returned to client via Access-Token token. check TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo
  • for accessing to protected service, client-side should provide Access-Token=value in http header.
  • server-side reads this token in TROHttpApiSimpleAuthenticationManager.ReadAuthenticationInfo and creates TROHttpApiSession.
  • later standard Authentication and Login mechanism is used.

you can override ReadAuthenticationInfo method and check your token. if it is successful, you can create TROHttpApiSession with pre-created SessionID so it will work as expected.

also I can suggest to override WriteAuthenticationInfo and return nothing for keeping security.

Thanks, what I just tried was this:

Copied TROHttpApiSimpleAuthenticationManager to my own class.
Changed ReadAuthenticationInfo to check the Access-Token header value against a known GUID.
If it matches then I return TROHttpApiSession.Create(‘’, EmptyGUID) otherwise I throw an exception.
I set SecurityMode to smPerMethod and have an OnCanWriteMethodSecurity handler which just sets CanWrite := False
I have a single service with a single method which just returns a test string. The service doesn’t require sessions.

This appears to work! If I call the method from Postman and supply the known GUID in the Access-Token header then it works fine. If I put anything else in this header then the ReadAuthenticationInfo throws an exception and I get a 401 back in Postman.

Is what I’m doing here “OK”?

I don’t need sessions at all really as the server is effectively stateless and will only ever be accessed by a single client. All endpoints can simply include the “pre-shared secret GUID” in the Access-Token header and I then don’t have to worry about any login/logout methods or session expiry or any such stuff.


if it works as you like, you can use this solution.

another way was