Oracle REST Data Services (ORDS) and Pre-Authenticated Requests (PARs)

Mahdi AhmadiMahdi Ahmadi
4 min read

Introduction

Oracle REST Data Services (ORDS) recently introduced a powerful new feature: Pre-Authenticated Requests (PARs). This allows developers to share REST API access without needing complex authentication, all while keeping things secure and temporary.

In this post, we’ll break down what PARs are, how they work, why they’re useful, and walk through some practical examples.

What are Pre-Authenticated Requests (PARs)?

PARs are special URLs that are:

  • Already authenticated (no token or login needed)

  • Designed for temporary access to specific API resources

  • Easy to share and use (just open the URL)

  • Secure, with built-in expiration and usage limits

They let you call an API without adding headers, tokens, or dealing with session management.

When Was This Introduced?

This feature came out with ORDS version 23.2 (2023). Oracle added it to simplify integration with external systems and make data sharing more secure and flexible.

Why Use PARs? – The Benefits

  • Safe Sharing: Give access to an API without exposing your main credentials

  • Temporary Access: Set an expiration date so the link stops working after a while

  • Simple Integration: Ideal for systems or users that don’t support OAuth or tokens

  • Better Security: Reduce the risk of permanent token leaks

Real-World Use Cases

  • Share a report with someone outside your company

  • Let a partner access specific data for a short period

  • Connect mobile/web apps without implementing full login/auth

  • Enable scheduled batch jobs to hit an endpoint

How Does It Work?

Here’s the high-level process:

  1. Admin creates a PAR using PL/SQL

  2. ORDS generates a unique pre-authenticated URL

  3. The user accesses the API by simply opening that link

That’s it! No token, no login.

Step-by-Step Example – Sales Reporting

Scenario:

You want to share the monthly sales report with your CEO who doesn't have an ORDS account.

Step 1: Define the REST API

BEGIN
  ORDS.define_service(
    p_module_name    => 'sales.v1',
    p_base_path      => 'sales/v1/',
    p_pattern        => 'monthly_report/',
    p_method         => 'GET',
    p_source_type    => ORDS.source_type_collection_feed,
    p_source         => 'SELECT * FROM sales_monthly_reports WHERE month = :month',
    p_items_per_page => 0
  );
  COMMIT;
END;

Step 2: Create the PAR

BEGIN
  ORDS.create_pre_authenticated_request(
    p_module_name => 'sales.v1',
    p_pattern     => 'monthly_report/',
    p_parameters  => 'month=2023-10',
    p_expires     => SYSTIMESTAMP + INTERVAL '7' DAY,
    p_method      => 'GET',
    p_label       => 'Sales Report for CEO - Oct 2023'
  );
END;

Output (The PAR URL)

https://your-ords-server/ords/par_requests/par_id/123456789

Now you can send this link via email or chat to your CEO. They can open it in the browser or use curl, no password needed.

More Technical Details

PAR Structure

Each PAR includes:

  • par_id: Unique request ID

  • expiration: When the link stops working

  • allowed_methods: Which HTTP methods are permitted

  • source_url: The original API endpoint

Security Features

  • Digital Signature: ORDS signs each PAR to prevent tampering

  • IP Restrictions: You can lock access to specific IPs

  • Usage Limits: You can limit how many times a PAR is used

Advanced Example – With Extra Security

BEGIN
  ORDS.create_pre_authenticated_request(
    p_module_name => 'hr.v1',
    p_pattern     => 'employees/',
    p_parameters  => 'department=IT',
    p_expires     => SYSTIMESTAMP + INTERVAL '1' HOUR,
    p_method      => 'GET',
    p_max_uses    => 5,
    p_source_ip   => '192.168.1.100',
    p_label       => 'Temporary IT Dept Access'
  );
END;

Usage:

curl -X GET "https://ords.example.com/ords/par_requests/par_id/123456789"

How ORDS Validates Each Request

When a PAR is used, ORDS checks:

  • Is the link expired?

  • Is it coming from the allowed IP?

  • Has it been used too many times?

  • If all is good, the request is forwarded to the original API endpoint

Bonus Use Cases

Batch Processing

-- Use a PAR for nightly inventory updates
BEGIN
  ORDS.create_pre_authenticated_request(
    p_module_name => 'batch.v1',
    p_pattern     => 'inventory/update/',
    p_method      => 'POST',
    p_expires     => TRUNC(SYSDATE) + 1
  );
END;

Integration with Partners

  • Give each partner a unique PAR with scoped access

  • Set tight expiration rules for extra safety

Emergency Access

  • Create a PAR with 15-minute validity for urgent use (e.g., backup/restore)

Managing PARs

View Active PARs

SELECT par_id, label, expires, uses_remaining 
FROM user_ords_pre_authenticated_requests
WHERE status = 'ACTIVE';

Revoke a PAR Before It Expires

BEGIN
  ORDS.revoke_pre_authenticated_request(
    p_par_id => '123456789'
  );
END;

Summary – Why You Should Use PARs

No need to manage auth tokens
Secure, time-bound access
Great for integration and external sharing
Easy to monitor and revoke

Pre-Authenticated Requests (PARs) in ORDS are a simple yet powerful way to share access to your APIs securely and temporarily. They make life easier for developers while keeping your data protected.

Want to simplify your Oracle API access without compromising security? PARs might be exactly what you need.

0
Subscribe to my newsletter

Read articles from Mahdi Ahmadi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ordsoracle ords#oracle-apex

Written by

Mahdi Ahmadi
Mahdi Ahmadi

Founder & CEO at Artabit | Oracle APEX Expert | Building Innovative HR Solutions | UAE & Iran