Skip to content

Session token-based authentication


Session token-based authentication is deprecated in favor of API key- and session based authentication methods (form based login, Azure AD, OpenID, etc).


Session token-based authentication is considered insecure and should not be enabled.

This authentication method was widely used in the past for both action pads in the Desktop Client and integrations with other systems. A login request was made (username+password) and the server returned a token which the client then passed with every request as a HTTP header.

These days applications integrating with Lime CRM should instead use API key authentication and action pads are authenticated by the Desktop client itself.

Session token-based authentication is disabled by default but can be re-enabled to make legacy integrations work until until they have been updated to use either API key or session based authentication.

To enable session token-based authentication (not recommended), add the following to the Web Server configuration:

    enable_sessionid_request_header_auth: True

LBS App Example

To upgrade an LBS App used in an action pad remove all session id code from the LBS app. The Desktop Client will add it's own authentication to the calls.

Remove the code as shown in these examples:

// Get the session id example 1
var sessionId = lbs.limeDataConnection.Database.SessionID; //Remove
// Get the session id example 2
var sessionId = lbs.common.executeVba('LC_Globals.GetSessionId'); // Remove
// Use of session id in an ajax call header example
    url: '',
    headers: {
        'sessionId': sessionId // Remove