For setting up a custom authentication service for API's (on service package) the following is needed:

1. On Serivce tab: Indicate a timeout activity (implementation can be empty) and Indicate a Authentication Activity (needs implementation, described later.)
2. On Custom tab: (choose Use externally stored credentials, must match the “Use external authentication” setting on operator page which is the result of the authentication activity)

• (docs.pega.com) Configure-login-using-custom-authentication-service

The purpose of the activity is to do the actual authentication. Successfull authentication is indicated by a couple of parameters:

1. pyOperPage must be a data-admin-operator-id (the identified operator) clipboard page (as java object)
2. pyUserIdentifier → operator identifier.

The following can be used in a java step (where myStepPage is the operator page):

tools.putParamValue("pyOperPage", myStepPage);
tools.putParamValue("pyUserIdentifier", myStepPage.getString("pyUserIdentifier"));

Likely a token of some sort is expected in the http headers send by client/user to authenticate. In the authentication context the http headers can be read via following example:

ClipboardPage pxRequestorPage = tools.findPage("pxRequestor");

javax.servlet.http.HttpServletRequest request = (javax.servlet.http.HttpServletRequest) pxRequestorPage.getObject("pxHTTPServletRequest");
authToken = request.getHeader("Authorization");

In the example the Authorization header is fetch into a local variable authToken.

To summarize the flow of the activity:

1. Get credentials from header
2. Verify if credentials are valid and identify the client/consumer/user
3. Iompose Operator Page (read from db or use template opertor)
4. Indicate success by setting the expected pyOperPage and pyUserIdentifier.
   (If either of the parameters are missing the result will be a 401 unauthorized response.)

• (Docs.Pega.Com) Configure custom loginauthentication
• (Support.Pega.Com) question on how to configure a authentication activity.