Prevent Direct API Authentication
Starting in Secret Server 12.1, Prevent Direct API Authentication is turned on by default for new installations (both on-premises and cloud). Existing installations that are upgraded are not affected—the setting retains whatever value it had before the upgrade.
When enabled, this setting blocks direct username and password authentication against the /oauth2/token endpoint. It is intended to reduce exposure to credential-stuffing and brute-force attacks by pushing interactive users toward browser-based login flows.
You can view and change this setting on the Application Settings page.
Affected on New Installs (Blocked by Default)
-
Delinea Credential Manager local login
-
Connection Manager local login
-
Integrated Windows Authentication (IWA) web-service login
Not Affected (Still Work Normally)
-
Application accounts (exempted by design)
-
SSH terminal access
-
Browser-based interactive login flows
-
OAuth token refresh (for sessions that already authenticated)
Workarounds
If you need one of the affected flows to continue working on a new install, choose one of the following:
-
Grant the bypass permission. Assign the Bypass Direct API Authentication Restriction role permission to the specific user or role that needs direct API authentication. This is the most targeted option and does not change behavior for anyone else.
-
Convert the account to an application account. Application accounts are exempt from this restriction by design. Use this when the credential belongs to a service or integration rather than a person.
-
Disable the setting. Turn off Prevent Direct API Authentication entirely on the Application Settings page. This restores pre-change behavior for all users and is the least targeted option—use it only if the first two workarounds do not fit your environment.