How to allow rest requests only for logged in users

Hi guys,
I am new to dreamfactory and am currently developing an app with AngularJS.

I have the following questions:

  • how / where can I define that REST calls are only possible if the user is logged in?
  • how can I make LEFT JOINS with the REST API?

Thanks and regards,



Good questions. To your first, you’ll need to define users/roles within your DSP - this comes with a bit of a learning curve, but the concept is easily implemented once understood.

Please have a look a this documentation on user management:

As far as your second question, the new release (still pending…) has functionality to support stored procedures. Simply create your JOIN queries within the stored proc and then call this with a REST call.

Please let me know if you have anymore questions.


1 Like

Hi Mark,
thanks for your help.

I just defined a group “Users” which have API Access to my services.

So did I understand correctly, that you have to be logged in to use the api or is it useable without any session id, too? I’m asking due to security.

EDIT: I just called from my browser and its working fine. How can I avoid, that this is working without a valid session_id or token?




Looks like either you haven’t logged in or the you’ve entered a wrong password on your end.

Have a look at this blog:

As far as being able to access this without logging in, that’s related to guest users being enabled or not. You can give different levels of access to your guest users depending on what you’d like them to access or not. Guest users do not have to login. All of the permissions that you give them are allowed outside of logging into the DSP.

Let me know if you have anymore questions.


  • Mark

Hi Mark,
thanks for the reply. I now defined a role guest user with no access to any service. But I am still getting a valid response when opening

Is it possible to have a quick look at my settings?

I don’t want my REST-API to be open to the public. Only logged in users should use it.



Can you use a different browser session? It sounds like the request is using your admin session that is still loaded in the browser.

Also. Turn off guest users in the config section.

Great thanks. Now it works!