Security
You can secure the web api endpoints with Litium service account or cookie authentication. This section describes how.
Using service account
Certain endpoints are secured to use Litium Service Account, so that only a remote server which know the service account credentials can access them.
You may read about other methods of securing here >>.
To use service account, mark the endpoints with Litium.Web.WebApi.OnlyServiceAccountAuthorization attribute.
Configure service account
In Litium backoffice, Control panel > System settings > service accounts, add a service account and associate it with an existing user. The associated existing users user groups will ultimately control the amount of access this service account user would have.
The end point that need to be secured need to be marked with "OnlyServiceAccountAuthorization" attribute. For example, Get method in OrderController.
To access the endpoint, appropriate authorization header should be sent. One way to test is to copy the ServiceAccount <passwordhash> as a Authorization header and use Postman client to send in a request.

In practice when calling from a client, you can send in the access_token instead of the authroization header. The access token should be fetched from /Litium/Oauth/Token endpoint. The resulting access_token should be sent in as the bearer token in the Authorization header.
