Creating APIs‎ > ‎Security‎ > ‎


The server determines what authenticated API calls are authorized to do by looking at the roles assigned to the auth token. The following sections explain the basic facilities.

For more information:

Role-Based Access

You can authorize which endpoints are visible to which roles. You can also define role permissions for row and column-level security.


Globals are variables that API Creator makes available to each transaction so that they can determine what data the user should have access to.

Auth Token Globals

In most cases, your authentication provider makes the values of the auth token available as globals (for example, the LoginId global), with the possible exception of the password. In addition, your authentication provider can return a set of global values.

Typical examples:
    • Scalar values such as UserName.
    • Objects such as a database row (for example, retrieved by the LoginId global).

Built-in Authentication Provider Globals

The built-in authentication provider provides the user_identifier variable for the _apikey system global. For example:


For more information about the built-in authentication provider, see Authentication.

System Globals

API Creator predefines the following system globals, sets them for every transaction, and references the predicate:

Name Value Example
_apikey The auth token (_apikey) object currently in use. @{_apikey.project_ident}
_project The Project currently in use. @{}
_account The Account currently in use. @{}

More Information

For more information about role-based endpoint access and globals, including how to define a role, how to define and reference a global, and how to define role permissions, see Role-Based Endpoint Access.