Robotic Process Automation (RPA)

 View Only

Securing the RPA API

By NIGEL CROWTHER posted Mon May 24, 2021 08:29 AM


The RPA API is a powerful way to invoke bots programmatically. For details see the docs here:


However, this API is not authenticated and not secure against malicious use.  In this blog, I provide two ways to secure it

Method 1 - Use an API-Key

This is the simplest approach.  Simply add an API Key bot parameter. The script validates the API Key against the key in the Vault.  If they match then the bot continues to execute, otherwise, a 401 Not Authorized error is returned.  See bot script example below:

// This WAL script demonstrates how to validate the api_key passed as input to the bot script
// The script compares the api_key defined in the system vault to the passed-in key.
// If they do not match then a 401 Authentication Error is returned.
// Input parameter  rpa_api_key_param contains a secret key to protect the API from unauthorized use
beginSub --name validateApiServiceAccount
    getVaultItem --name RPA_API_KEY --system  retVal=success rpa_api_key_vault=userName dummyValue=password
    if --left "${retVal}" --operator "Is_True" --negate
        logMessage --message "Failed to get creds" --type "Info"
        setVar --name "${out_code}" --value 401
        setVar --name "${out_type}" --value ERROR
        setVar --name "${out_message}" --value "Authentication Error. RPA_API_KEY not found in system Vault"
    if --left "${rpa_api_key_vault}" --operator "Equal_To" --right "${rpa_api_key_param}" --negate
        logMessage --message "Failed authorization" --type "Info"
        setVar --name "${out_code}" --value 401
        setVar --name "${out_type}" --value ERROR
        setVar --name "${out_message}" --value "Authentication Error. RPA_API_KEY does not match - Expected ${rpa_api_key_vault} but received ${rpa_api_key_param}"

Method 2 - Secure API Gateway

The disadvantage of Method 1 is that the bot script is only secure if it implements API-Key validation.  Any bot script not implementing this pattern is vulnerable to unauthorized invocation.   Furthermore, if you expose your RPA agent to the outside world, it is open to attack.    A safer approach is to install a Secure API Gateway running in a DMZ that bridges API requests from the insecure internet to the secure RPA environment.  The internet-facing API authenticates requests with LDAP.  If the request validates, it is forwarded to the RPA Agent behind the firewall.  See Below.

Secure API Gateway
Secure API Gateway

Both methods 1 and 2 can be implemented for belt and braces security.  Further information and working code on both these patterns can be found in my tutorial here:

App Connect tutorial