Your Rock database holds sensitive information. In Rock, sensitivity equals security. Here's how to secure your REST API endpoints. See the Rest Controllers settings at Admin Tools > Settings > Security > REST Controllers. Select ti ti-lock to configure the settings. You will notice that a different settings page pops up depending on whether you are securing a v1 or v2 API controller. v1 API v2 API Understanding v2 API Controller Security By default, the v2 API Controllers are locked down for all users. That’s intentional, we wanted to start with strong security so you have full control over who gets access to your data. Before you open things up, it’s important to understand what each permission does: Execute Read: Allows users to view data when executing any read statement (e.g.: GET) with the v2 API. Execute Write: Allows users to edit data when executing a write (e.g.: PUT, DELETE, PATCH, POST) statement with the v2 API. Execute Unrestricted Read: Allows users to view data—without performing entity security checks—when executing any read statement (e.g.: GET) with the v2 API. Execute Unrestricted Write: Allows users to edit data—without performing entity security checks—when executing a write statement (e.g.: PUT, DELETE, PATCH, POST) with the v2 API. Administrate: The classic permission, allowing selected users to administrate all things related to this controller, including security permissions.