We notice that it is possible to call KTA API methods with the System Session ID. Is there a way to ensure that authentication has been performed first?
A session ID is provided as a result of authentication in KTA. You can pass the System Session ID directly to the API to effectively bypass authentication. Therefore, this is expected behaviour.
KTA offers a variety of authentication methods, such as user name and password, Windows Authentication, Federated Security, etc. Since KTA 7.9, KTA can also use OAuth 2.0.
Level of Complexity
Add any references to other internal or external articles