What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.

A JWT is typically composed of three parts:

1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature

These parts are encoded in Base64Url format and concatenated with dots (.) separating them.

Structure of a JWT

Header

{ "alg": "HS256", "typ": "JWT"}

Payload

When I was younger (a question about exactly how much younger is outside the scope of this article), the word “token” meant fun. You see, just a couple of times a year, I would get to go to an arcade and play some amusing video games with my friends.

Hello,I am currently facing the task of retrieving or sending HL7 messages from a web API. Since we only send HL7 messages via internal sockets, web APIs are relatively new to me.The following is my plan for the new interface:I have created a new custom business service that periodically sends requests to a business process. In this business process, the HTTP request (HTTP.GenericMessage) is then created from scratch. The special feature is the "Authorisation" header field, where a signature is inserted, which consists of a base64-encoded hash value. The request is then sent to the API via a

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

This is what I am seeing in the browser:-

Hi all,

This is a quick tip about how to use case insensitive URL in REST API.

If you have a class that extends from %CSP.REST and Ens.BusinessService, to create a REST API service, and you have defined your WebApplication in lowercase

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]
{
<Routes>
    <Route Url="/user" Method="POST" Call="User"/>
    <Route Url="/login" Method="POST" Call="Login"/>
</Routes>
}

Only accepts the url in lowercase, i.e. http://myserver/myproduction/user

If you have any uppercase character, the url doesn't work. http://MyServer/MyProduction/user

Introduction

Hi Team, 

Can I please check if anyone has built a simple web interface for maintaining custom SQL lookup class.   

We have a simple persistent class in HealthShare which is used for storing Pathology test codes. Test codes in this lookup class is used for message filtering and applying additional logic when processing pathology results/orders. 

We want to make this class available to external users from pathology (not the usual management portal users) to maintain so that they can add/edit/delete test codes as required. 

One of the recommendations when deploying InterSystems Technologies for production is to set up High Availability. The recommended API Manager for these InterSystems Technologies is the InterSystems API Manager (IAM). IAM (essentially Kong Gateway) has multiple deployment topologies.

If you are looking for high availability you could use:

a) Kong Traditional Mode: Multiple Node Clusters

b) Hybrid Mode

c) DB-less Mode

Before we break them down let's first understand the out of the box deployment that is provided by InterSystems: Installing IAM Version 3.10.

Kong Traditional Mode

It seems to me that for some reason this didn't make its way to the official documentation
and seems to be rather unknown though implemented already in IRIS 2020.1

Thanks to @Dan Pasco I got a hint on the classes involved.
I used the recommended sequence of how to use it. 
it is all directly taken from Class Reference and I just collected it to create a first overview.

Why This Matters

Managing IAM can be tedious when done manually — especially when your APIs are already well-documented using OpenAPI (Swagger) specs. Wouldn't it be great if you could automatically generate Kong services and routes directly from your OpenAPI spec?

That's exactly what this ObjectScript method does: it reads an OpenAPI 2.0 spec stored in the XData block of your spec class and generates a decK-compatible YAML file that can be used to sync your IAM configuration.

This approach:

I’ve been exploring options for connecting Google Cloud Pub/Sub with InterSystems IRIS/HealthShare, but I noticed that IRIS doesn’t seem to ship with any native inbound/outbound adapters for Pub/Sub. Out of the box, IRIS offers adapters for technologies like Kafka, HTTP, FTP, and JDBC, which are great for many use cases, but Pub/Sub appears to be missing from the list.

Has anyone here implemented such an integration successfully?

For example:

One of the most common kinds of integration we are asked to do is emailing. One of the most typical email services our customers use is Microsoft’s Office 365. After setting up the right configuration on the Microsoft side, we can email from IRIS with two HTTP requests. By the end of this article, we will be able to send an email with an attachment through our Microsoft 365 service!

Securing IRIS Integrations with Mutual TLS (mTLS): A Practical Guide

In today’s enterprise environments, secure communication between systems is not optional—it’s essential. Whether you're integrating InterSystems IRIS with cloud APIs, internal microservices, or third-party platforms, Mutual TLS (mTLS) offers a powerful way to ensure both ends of the connection are authenticated and encrypted.

This post walks through how to configure IRIS for mTLS and how to validate your certificates to avoid common pitfalls.

🔐 What is Mutual TLS (mTLS)?

Hello community.

I have a request from a client who wants to do the following.
Currently, they have a data upload process via FTP in which they have implemented a RecordMap to store the information of the CSV files that are uploaded to the FTP directory.
Now they want to have another directory so that it is ONLY executed through an external instruction, not when the file is uploaded to the directory.

FHIR Server

A FHIR Server is a software application that implements the FHIR (Fast Healthcare Interoperability Resources) standard, enabling healthcare systems to store, access, exchange, and manage healthcare data in a standardized manner.

Intersystems IRIS can store and retrieve the following FHIR resources:

IAM - InterSystems API Manager is a great tool for monitoring your traffic. If you are trying to use it in your Kubernetes cluster you may have tried doing a deployment similar to this one:

Hello,

I have a main dispatcher (that extends%CSP.REST) that contains:
<Routes>
   <Map Prefix="/v([0-9]{1,2})/news"    Forward="API.Dispatch.news"/>
</Routes>

And I have the sub-dispatcher that contains:
<Routes>
   <Route Url="/:id"                        Method="GET"  Call="NewsGetItem"/>
</Routes>
If I try to access this route:
https://mydomain.com/mobile/api/v4/news/123
It doesn't work (404).
 

Hi everyone,

I’m working with an existing InterSystems IRIS server that hosts several web applications and namespace-specific code and data. I’d like to reverse-engineer the current environment into a %Installer.Manifest file so I can store it in Git and manage its changes.

My goal is to:

• Track the application setup and configuration in version control
• Rebuild environments consistently (namespaces, CSP apps, security roles, etc.)
• Possibly automate deployments later on

Well... It's time for testing. We know that often, it's already over. So, what now? Can I improve the quality of my development?

The answer is: YES. Yes, you can. The Toolqa tool aims to do just that. It's a facilitator. What's its goal?

To ensure that APIs meet pre-established business requirements, while also protecting against <sarcasm>  future failed attempts </sarcasm>  to destroy your application, website, app, or anything else that uses your API.

Now you might be wondering, how does this happen? Where's the magic?

Hello everyone,

I would like to ask whether it is possible to run InterSystems API manager (IAM) on OpenShift. Is there some documentation describing how to do it? I was searching the forum as well as the internet and I have not found much unfortunately.

Any hints would be highly appreciated.

Best regards

Martin Zukal

In this section, we will explore how to use Python as the primary language in IRIS, allowing you to write your application logic in Python while still leveraging the power of IRIS.

• Introduction Python First Approach in IRIS
  • How to use it (irispython)
    • What is irispython?
    • Example of using irispython
    • Pros
    • Cons
    • Conclusion
  • Using WSGI
    • How to use it
    • Example of using WSGI
    • Pros
    • Cons
    • Conclusion
  • DB-API
    • How to use it
    • Example of using DB-API
    • Pros
    • Cons
    • Alternatives
    • Conclusion
  • Notebook
    • How to use it
    • Example of using Notebook
    • Pros
    • Cons
    • Conclusion
• Bonus Section
  • Using a native interpreter (no irispython)
    • How to use it
    • Pros
    • Cons
  • DB-API Community Edition
    • How to use it
    • Example of using DB-API
    • Pros
    • Cons
  • Debugging Python Code in IRIS
    • How to use it
    • Pros
    • Cons
    • Conclusion
  • IoP (Interoperability on Python)
• Conclusion

Now that we have a good understanding of Python and its features, let's explore how we can leverage Python within IRIS.

• Introduction to Python in IRIS
• Language Tag
  • How to use it?
  • Pros
  • Cons
  • Conclusion
• Importing Python Modules (pypi modules)
  • How to use it
  • Pros
  • Cons
  • Conclusion
• Importing Python Modules (custom modules)
  • How to use it
  • Pros
  • Cons
  • Conclusion

In this 3-part series of articles, is shown how you can use IAM to simply add security, according to OAuth 2.0 standards, to a previously unauthenticated service deployed in IRIS.

In the first part, was provided some OAuth 2.0 background together with some IRIS and IAM initial definitions and configurations in order to facilitate the understanding of the whole process of securing your services.

REST API (Representational State Transfer Application Programming Interface) is a standardized way for web applications to communicate with each other using HTTP methods like GET, POST, PUT, DELETE, etc. It's designed around resources, which can be anything from a user to a file. Each resource is identified by a unique URL, and interactions with these resources are stateless, meaning each request from a client to a server must contain all the information needed to understand and process the request. This statelessness, along with the use of standard HTTP methods, makes REST APIs highly

Dear community, I have a confession to make. I have not gotten over Zen yet. Alas, all good things must come to an EOF, so I am currently learning about Angular. I am working on proving to myself that with the right back end and Angular components, I can deliver to myself and my team a very Zen-like experience in this environment. Since this is my first attempt, here is a fair warning: I will be providing some rather large code samples before discussing them. Please warm up your mouse and hand for extensive upcoming scrolling! Also, a note on the code snippets: many of them are labeled

Hello community,
Is there any built in class method to get the HTTP request and response message format from the %request and %response object. Similar to how a Web Gateway's HTTP Trace Facility captures HTTP messages.

Thanks!

Hello Community,

Is there a programmatic method or specific property to differentiate system-defined (/csp/altelier , /api/mgmnt and so on)  or user-defined web applications in IRIS?

Thanks!

Introduction

InterSystems IRIS allows you to build REST APIs using ObjectScript classes and the %CSP.REST framework. This enables the development of modern services to expose data for web apps, mobile apps, or system integrations.

In this article, you'll learn how to create a basic REST API in InterSystems IRIS, including:

• A persistent data class
• A REST class with GET and POST methods
• A web application to expose the API
• A full demonstration using Docker

Step 1: Create the data class Demo.Producto

Hello Community,

When handling a %CSP.REST API response for a custom endpoint, how can I capture or access the response content before it is written to the output buffer and sent through the Web Gateway to the UI?

In manually created REST services (for example, with a route like:<Route Url="/test" Method="POST" Call="User.Sample:Test" Cors="true"/> ),
the response is typically written from within any class method in the execution flow.

Is there a way to intercept or log the response content before it is sent to the client?

Thanks!

Hi community,

A few weeks ago I published an API accelerator call Memoria, Is a very simple way to minimize the time and network traffic to and end-point, I hope could be useful.

The link in openexchange: https://openexchange.intersystems.com/package/memoria

Regards!