When using the REST API, your client application needs to act under the permissions and restrictions of a particular user. This way Jmix can link the API calls to a user and apply the regular Security Authorization capabilities of Jmix to the requests.

The REST API supports a variety of security mechanisms that are available via the Security Subsystem of Jmix. Additionally, it adds API-specific parts on top like OAuth2 for securing the interactions via the API.

Predefined Roles

REST: minimal access (rest-minimal): Allows users to interact with the application via the API.


For security reasons, browsers don’t allow Javascript network calls to resources outside the current origin. Cross-Origin Resource Sharing or CORS solves this restriction, as it lets you specify which cross-domain requests are allowed.

By default, all CORS requests to the REST API are allowed. To restrict the origins list you can define the allowedOrigins application property.

For further customizations of the CORS configuration, see Spring Security Documentation on CORS.