I do tests with Postman and PHPMaker 2020.0.14 RESTAPI. I can add data to the tables by post without user tokens. This can be a security issue. Is this normal or is there a way to authorize it?
If you have enabled Advanced Security (see the topic Security Settings in the help file), you need to login and get the JWT token first. See the topic REST API → Authenticate User with JWT (JSON Web Token) in the help file.
Thank you very much for your answer.
Advanced Security enabled.
I have read the help files.
2nd test.
I deleted all permissions and recreated them.
I login, JWT token is created.
but it is not possible to add data with tokens.
I think I have a problem with user authorization.
{
“success”: false,
“failureMessage”: “You do not have permission to access /demo/api/index.php.”,
“version”: “16.0.14”
}
I have experience in restapi and user authorization, but I cannot do this.
my curl function
curl --location --request POST ‘server/demo2020/api/’
–header ‘Authorization: Bearer eyJ0eXAiOiJKV1QiLCurl*****’
–header ‘Cookie: PHPSESSID=b74d2eff8eba38d1c9826c8d25becbe2’
–form ‘object=categories’
–form ‘CategoryName=CAT’
–form ‘Description=DETAILS’
–form ‘action=add’
zbahadir wrote:
–header ‘Authorization: Bearer eyJ0eXAiOiJKV1QiLCurl*****’ \
Assume your JWT token is obtained from the API, try send it in the header “X-Authorization”, see the example in topic REST API in the help file.
Yes, finally I tried this and it worked.
PHPMaker only supports X-Authorization for RESTAPI.
Thank you very much for your help. 
zbahadir wrote:
PHPMaker only supports X-Authorization for RESTAPI.
You may change the advanced setting “API JWT authorization header”, see the topic Tools → Advanced Settings in the help file.
X-Authorization is running. I have been trying for days, but I could not run Authorization. I use Authorization in my mobile applications and all my projects. I couldn’t use it with PHPmaker. There is no other detail than the PHPMaker documentation.
arbei wrote:
You may change the advanced setting “API JWT authorization header”, see the topic Tools → Advanced Settings in the help file.
You may try to set “API JWT authorization header” to “Authorization”. However, make sure your web server allows it. For example, it doesn’t work with IIS. You may debug with $Request->getHeader(“Authorization”) to check if PHP gets the header from the web server.