Permit REST-API not for all items

is there a way to permit the REST-API only for some items and not for all?
would be a nice security feature

The short answer is no, it’s all or nothing. This has been talked about for ages and if it were easy it’s be done by now. It’s in fact exceptionally hard to implement.

As long as a reverse proxy is being used in front of OH wouldn’t it be possible to write proxy rules to disallow access ? Especially if the items already would follow a specific naming rule to easily identify which are allowed and which are forbidden.
Of course this only would be a workaround and not as good and stable as if implemented in the API itself.


I migth not see the forrest 'cause of all those trees but I have to ask anyway:
Why would anyone try to limit the use of the REST-API for items? In my understanding the access to items via (nearly all?) UIs is done via the API.

It’s theoretically possible, but it’s going to be a whole lot of work and it’s going to super brittle. It will also potentially break things as the UIs are written under the assumption that it can access all the Items. It will also only be a partial solution as there REST end points that return information about all Items in one big JSON string so the reverse proxy would have to be smart enough to redact the JSON on the fly.