New API Integration

A new API integration method is now available through an authentication mode called “Internal Authentication.”

⚠️

This mechanism applies exclusively to flows targeting Ermeo and CausewayOne, i.e. those connecting to the Docs, Field, Field Studio, or standard Ermeo APIs.

Operating Principle

Unlike previous models based on a service account (notably OAuth), API actions are now executed on behalf of the logged-in user.

In practical terms:

The user authenticates via Ermeo or CausewayOne
API calls (Docs / Field / Field Studio / standard Ermeo) are performed using their own user context
Each action therefore reflects the actual permissions of that user

❗

Key consideration: permission management

This change introduces a direct dependency on roles and permissions:

If the user does not have the required permissions, the API call will fail
Errors are therefore linked to user permissions, no longer to a dedicated service account

👉 From a support perspective, the priority is to:

Verify the user’s roles and permissions
Ensure the user can perform the action manually in the interface

Comparison with the Previous Model (OAuth)

Internal Authentication	Service Account (OAuth)
Actions performed on behalf of the user	Actions performed on behalf of a generic account
Strict enforcement of user permissions	Broader access based on service account permissions
No token expiration issues	Token expiration constraints: Access token (2h) + refresh token (2 weeks)

With OAuth:

The system was less constrained by permissions
But highly dependent on token validity
In case of prolonged inactivity (expired refresh token), integrations could fail without restarting the flow

Benefits of the New Model

Alignment with security best practices
Clear action traceability (user-level audit)
Elimination of token management issues

Key Takeaways for Support

API errors are often linked to user permission issues
Always validate permissions before further investigation
Expected behavior is now fully aligned with the user interface

Operating Principle

Unlike previous models based on a service account (notably OAuth), API actions are now executed on behalf of the logged-in user.

In practical terms:

The user authenticates via Ermeo or CausewayOne

API calls (Docs / Field / Field Studio / standard Ermeo) are performed using their own user context

Each action therefore reflects the actual permissions of that user

❗

Key consideration: permission management

This change introduces a direct dependency on roles and permissions:

If the user does not have the required permissions, the API call will fail
Errors are therefore linked to user permissions, no longer to a dedicated service account

👉 From a support perspective, the priority is to:

Verify the user’s roles and permissions
Ensure the user can perform the action manually in the interface

Comparison with the Previous Model (OAuth)

Internal Authentication	Service Account (OAuth)
Actions performed on behalf of the user	Actions performed on behalf of a generic account
Strict enforcement of user permissions	Broader access based on service account permissions
No token expiration issues	Token expiration constraints: Access token (2h) + refresh token (2 weeks)

With OAuth:

The system was less constrained by permissions

But highly dependent on token validity

In case of prolonged inactivity (expired refresh token), integrations could fail without restarting the flow

Integrations – Internal authentication (connected user)

New API Integration

Operating Principle

Comparison with the Previous Model (OAuth)

Benefits of the New Model

Key Takeaways for Support

Integrations – Internal authentication (connected user)

New API Integration

Operating Principle

Comparison with the Previous Model (OAuth)

Benefits of the New Model

Key Takeaways for Support