Hi all,

Our team is looking to get the best approach to secure our REST service. We are authenticating based off of clientId and clientSecret passed in the headers. 

Based on what I have seen this might be accomplished through a custom authentication service and activity.

We looked at OAuth2.0 but that does not seem to meet our needs since we are not using a temporary token and basic authentication is based on userID/password which is similar but not exactly what we are doing.

Worth noting that our service is being proxied by IBM API connect so the credentials are being validated there also.

How should we store clientId and clientSecret securely? Hoping to reuse a table/feature in Pega that is already providing encryption as opposed to providing encryption ourselves.

How should this activity be implemented? Should we create an operator ID to tie to our REST service? From other authentication services we see an operator ID is opened and passed as a parameter on pyOperPage but is this the best practice for an integration?

If we dont use an Operator Id how do would we set the authorization once authenticated?

Thanks for any guidance!