In Tungsten TotalAgility 8.0.0, the access tokens that can be used for TotalAgility REST SDK APIs were generated by TotalAgility. The clients were also defined and authenticated within TotalAgility.

Tungsten TotalAgility 8.1.0 also supports access tokens from authorized third-party providers. The clients can be defined and authenticated by third-party providers once you specify in TotalAgility Designer which third-party providers are authorized, along with relevant details to validate the access tokens.

Only third-party OAuth providers that use JWT access tokens are supported.

Tungsten TotalAgility 8.0.0 supported "secret in post body or basic authentication."

In Tungsten TotalAgility 8.1.0, you can enable support for OAuth client assertion in OAuth Client configuration for REST SDK APIs in TotalAgility Designer.

When the "Client assertion" authentication method is selected, client assertion is sent to the OAuth token endpoint (OAuth/token) that extracts and validates it using the new client assertion fields (Audience, Issuer, Subject, and signature) before issuing the access token.

In Tungsten TotalAgility 8.0.0, all OAuth client applications are identified with the System session ID.

In Tungsten TotalAgility 8.1.0, when using OAuth authentication with TotalAgility REST SDK APIs, you can specify (optionally) a TotalAgility user in the TotalAgility OAuth client configuration. This user is identified as the calling user when an access token granted for the OAuth client app is in use.

When defining OAuth clients to use with TotalAgility OAuth authentication, you can specify one or more client certificates (mTLS) to be allowed as extra authentication to call the TotalAgility REST SDK APIs. Subsequently, the OAuth access token generated by TotalAgility can call the REST SDK APIs when a matching client certificate is passed.