17.6.1 Understanding Web Credentials

Use Web credentials to connect to external REST services or REST Enabled SQL services.

Creating Web Credentials securely stores and encrypts authentication credentials for use by Oracle APEX components and APIs. Credentials cannot be retrieved back in clear text. Credentials are stored at the workspace-level and therefore are visible in all applications.

17.6.1.1 Protecting Web Credentials by Defining Valid URLs

Protect Web credentials by adding valid URLs.

You can protect Web credentials by adding valid URLs to the Valid for URLs attribute. Adding URLs to the Valid for URLs attribute prevents APEX from accidentally sending a sensitive credentials to a different server. Whenever a Web credential is used, APEX checks whether the URL matches what is defined in defined in the Valid for URLs attribute.

When adding URLs to this attribute, place each URL into a new line. The URL endpoint being used must start with one of the URLs provided here. See field-level Help for examples.

17.6.1.2 About Supported Authentication Types in Web Credentials

Learn about supported authentication types in Web credentials.

Web credentials support the following Authentication Types:

  • Basic Authentication - Sends username and password in Base64-encoded form as the Authorization request header.

  • OAuth2 Client Credentials Flow - APEX exchanges the client ID and client secret for an Access Token using a token server URL. The access token is then used to perform the actual request. If the access token is expired, APEX will transparently request a new one.

  • HTTP Header - The credential is added to the REST Request as a HTTP Header. The name of the credential is the HTTP Header name, the Secret of the credential is the HTTP Header value. APEX does not add these secrets to the Debug log or any other logs.

  • URL Query String - The credential is added to the URL of the REST Request as a Query String Parameter (for example: ?name=value). This option can be useful with API keys. APEX does not add these secrets to the Debug log or any other logs. However, proxy or other intermediate servers will log these credentials in their log files.

17.6.1.3 Exporting and Importing Web Credentials

Learn about exporting and importing Web credentials.

When you export an application, used credentials are added to the export file. When you import the application into another workspace, APEX checks whether the target workspace already contains credentials with the same static ID. If a credential already exists, the application uses it. Otherwise the credential from the import file is created in the target workspace.