Cross-API Access
In a Business tenant, several APIs can be linked together. Cross-API access decides which other APIs in the tenant may call this API's data — the app-to-app authorization layer for a linked suite.
It answers a single question for each API: when another API in this tenant makes a call into me, do I allow it?
Cross-API access is a Business tenant feature. It governs calls between APIs in the same tenant (linked-application traffic), not calls from end-user clients — those are governed by access rules, security policies, and application access.
Fail-closed by default
Unlike application access and the IP allowlist, which are open until you restrict them, cross-API access is deny-by-default:
- Nothing configured → no other API may call this API. The Portal states it plainly: "No APIs are allowed to access this API's data."
- You must explicitly grant access, either to specific sibling APIs or to all of them.
This matters when you link APIs: a freshly linked API won't accept app-to-app calls from its siblings until you grant them here.
Two modes
Cross-API access is configured per API in one of two mutually exclusive modes:
| Mode | Meaning |
|---|---|
| Allow all | Any current or future API in the tenant may call this API. |
| Explicit list | Only the specific sibling APIs you select may call this API. |
A few rules the configuration enforces:
- Allow-all and an explicit list can't be combined — turning on Allow all clears the explicit list.
- An API can't grant cross-access to itself.
- Every API you list must belong to the same tenant.
Configuring cross-API access
In the Developer Portal:
- Open the API and go to Settings → Cross-API access.
- Either toggle Allow all APIs, or leave it off and select the specific APIs that may call this one. Use the search box for long lists.
- Save.
Only tenant administrators (and Softeria staff) can change cross-API access. The panel only has an effect once another API exists in the tenant.
How it's enforced
When one API in the tenant calls another (a linked, app-to-app request), the target API checks the caller against its cross-API allow-list before any collection-level authorization runs:
- Caller is allowed (on the list, or Allow all is on) → the request proceeds to the target's normal access rules and security policies.
- Caller is not allowed → the request is rejected with
403 Forbidden— "Source API is not authorized to call the target API."
Cross-API access only authorizes the caller API. The end-user's own permissions on the target API still apply on top — clearing the cross-API gate does not grant the user any data they couldn't otherwise reach.
Cross-API access vs. application access
Both are per-API Business-tenant controls, but they gate different callers:
| Control | Gates | Subject | Default |
|---|---|---|---|
| Application access | Opening the app | An end-user (by role) | Open (fail-open) |
| Cross-API access (this page) | App-to-app data calls | Another API in the tenant | Closed (fail-closed) |
See also
- Business Tenant Governance — the full set of governance controls
- Application Access — gate an app to specific roles
- Access Rules — per-collection method permissions