Table of Contents

Authentication and Authorization Overview

Apps that connect to ERP.net must authenticate securely and operate only within the permissions granted to them.

The authentication and authorization model in ERP.net ensures that every app and user is properly verified, identified, and restricted according to system policies.

This process is built on the OAuth 2.0 standard and implemented through the ERP.net Identity Server and the Trusted Applications model.

Why Authentication and Authorization Matter

Whenever an app interacts with an ERP.net instance, two questions must always be answered:

  • Who is making the request - authentication
  • What that entity is allowed to do - authorization

ERP.net enforces these principles through token-based access.

Each app receives a secure, time-limited token that defines its identity and permissions.

This ensures that integrations remain safe, isolated, and fully auditable.

The Building Blocks

Authentication in ERP.net is organized around three core components:

Identity Server

Each ERP.net instance includes a built-in Identity Server that manages all authentication and token issuance.

It validates credentials, issues tokens, and applies the access rules configured in the instance.

OAuth 2.0

ERP.net follows the OAuth 2.0 framework for secure, standardized communication between applications and APIs.

OAuth 2.0 defines how apps request, use, and renew tokens without ever exposing user credentials.

Trusted Applications

Before an app can connect, it must be registered as a Trusted Application within the target ERP.net instance.

This registration defines the app's identity, allowed flows, and permissions, forming a trusted relationship between the app and the instance.

How It Works

At a high level, authentication in ERP.net follows this process:

  1. The app is registered as a Trusted Application in the target instance.
  2. The app requests access through the Identity Server, either on behalf of a user or as a background service.
  3. The Identity Server validates the request and issues an access token.
  4. The app uses that token to call the APIs within the scope of its granted permissions.
sequenceDiagram
    participant App
    participant IdentityServer as ERP.net Identity Server
    participant API as ERP.net APIs

    App->>IdentityServer: 1. Request authorization (user or service)
    IdentityServer-->>App: 2. Issue access token
    App->>API: 3. Call API with access token
    API-->>App: 4. Return authorized data

Types of Access

ERP.net supports two main types of access depending on how the app operates:

Interactive access

The app represents a user and requires sign-in through a browser or web view.

Used by web or mobile applications.

Implements the Authorization Code Flow defined by OAuth 2.0.

Service access

The app acts as a background service without user interaction.

Used by automations, integrations, or scheduled tasks.

Implements the Client Credentials Flow defined by OAuth 2.0.

Both types rely on the same Identity Server and token-based authorization model.

The Result of Successful Authentication

Once authentication and authorization complete successfully:

  • The app or user gains a secure session within the ERP.net instance
  • An access token is issued to represent that session
  • Access is limited to the scopes and permissions granted
  • All activity can be traced back to the app and its associated user or service identity

Learn More

  • How Apps Connect
    Understand how the Identity Server, OAuth 2.0, and Trusted Applications work together.

  • Auth Flows
    Learn about the available OAuth 2.0 flows for different app types.

  • Tokens
    Understand access tokens, scopes, and permissions.

  • Sessions
    Learn how tokens map to sessions and license slots within ERP.net.

Suggest improvement to this page