Admin API Settings

Version 23.4.8843

Admin API Settings

The Admin API tab of the Settings page enables you to control settings that are related to the CData Sync API. This tab contains three sections:

  • Trusted IP Addresses

  • Cross-Origin Resource Sharing (CORS)

  • Other Settings

Trusted IP Addresses

This section defines the IP addresses that are allowed to make connections to the Sync API. The following functions are available:

  • Add: Opens a dialog box where you can enter a new IP address range.

  • Edit: Opens a dialog box where you can modify the selected IP address range.

  • Delete: Deletes the selected IP address range from the list.

The following restrictions apply to this setting:

  • localhost is always allowed to access the Sync API. This behavior cannot be changed.

  • Ranges are supported. For example, the entry indicates that IP addresses between and are allowed. Any IP addresses outside of that range are rejected.

  • Wildcard patterns are supported. For example, the entry 100.10.100.* indicates that IP addresses beginning with 100.10.100 are allowed. Any IP addresses outside of that range are rejected.

Cross-Origin Resource Sharing (CORS)

CORS enables browser-based clients to connect to the Sync application. Without CORS, browser-based scripts cannot connect to the Sync API because of the same-origin policy that is enforced by the browser. This policy restricts client-side scripts and documents from replicating resources outside of their origin. The origin of a script consists of the protocol, the host, and the port.

If you enable CORS, you can configure it with the following options:

  • Allow all domains without ‘*‘: When this option is enabled, Sync allows any origin that is passed by the client by returning that origin in the Access-Control-Allow-Origin header.

  • Access-Control-Allow-Origin: Enter the origins for which Sync will participate in CORS. Sync returns these origins in the Access-Control-Allow-Origin header. When this option is set to ‘*’, Sync allows any origin and passes ‘*’ in the Access-Control-Allow-Origin header. This behavior is suitable for public APIs.

  • Access-Control-Allow-Methods: For this option, enter a comma-separated list of allowed methods.

  • Access-Control-Allow-Headers: For this option, enter a comma-separated list of headers that can be used in requests that are made by the script.

  • Access-Control-Allow-Credentials: Set this option to True if you want to require that clients provide credentials.

  • Access-Control-Max-Age: Enter the number of seconds that the user agent can cache preflight requests.

Other Settings

The Other Settings section contains one option: Allow Authtoken in URL. For more information about this option, see Authentication.