Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

epi commerce and service api


We have installed serviceapi on a commerce site. Everything works as expected with api queries, token, admin catalog, admin marketing. But the order management does not work, all xhr requests get : 

"Message": "Authorization has been denied for this request.". Is there something I can do to fix this ?

episerver.cms 11.20.6
episerver.commerce 13.30.0
episerver.serviceapi 5.4.5


Apr 30, 2021 8:02

It is a known issue, and a very long time one. ServiceAPI supresses the default host authentication (i.e. removing the authentication cookie from the request), which renders the Order Management (built on Web API) useless. Of course it's less than optimal, but the only way to work around this for now is to have ServiceAPI installed on a separate site. 

Apr 30, 2021 15:17

Aha, thanks that explains a lot. Hopefully this will be fixed eventually.. But when I looked into this with the knowledge from your reply I saw that this has been an issue since 2016 so I guess we will have to live with it for a while. Is there an easy way to "remove" this in a azure build or do we have to have two brances or repos ?

Thanks again

Edited, May 04, 2021 11:16

Good question, I don't know exactly how other customers do it, but technically you can just have another site (empty commerce + serviceapi) in your solution with a publish profile, pretty much like what you have commerce manager and cms/front end publish profiles 

May 04, 2021 11:57

We are now running into this problem as well. However, a separate site is not so easy since we are hosting on DXC. (Where a separate site is quite costly too)

Is there any other way to fix this, or is there any clarity on when this will be fixed?


May 06, 2021 11:32

It has been being discussed on and off for quite some time, but no decision has been made. 

May 06, 2021 11:46

Apparently there is another way.

You can add this code to a Initialization module. 
This will disable the suppression of cookie authenication, and thus make cookie authentication work for service api, so less secure when this is disabled.

var handler = GlobalConfiguration.Configuration.MessageHandlers
    .FirstOrDefault(x => x.GetType() == typeof(PassiveAuthenticationMessageHandler));
if (handler != null)
May 20, 2021 12:11

The code mark provided is the way to do it at the moment however it does open up the possibility of CSRF vunerability since you are now allowing authentication through both bearer token and cookies.

Discuss with your client to determine if this is acceptable.

May 21, 2021 9:50
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.