We're trying to update or create Rally objects directly from a Rally Custom View HTML Widget. While our SDK allows us to do this, we want to use direct calls to the Rally Web Service API as an alternative. The problem is that when we use the 'API KEY' variable in POST requests, we encounter a permissions error. This prevents us from successfully updating or creating objects directly from our custom pages using this method.

Rally SAAS

This is a Known Rally Limitation.

For security reasons, permanent API Keys must not be embedded directly within Custom HTML Widgets. This policy is a fundamental safeguard against significant security vulnerabilities.

Instead of permanent API Keys, Custom HTML Widgets are mandated to use Rally's Security Tokens. This is the recommended and secure method for performing authenticated actions within these widgets.

What is a Security Token? - 

• A Security Token is a temporary, session-based credential that Rally issues to a user upon successful login. It acts as a digital pass, verifying the user's identity and their authorized permissions for the duration of their active session.
  
  
• Enhanced Security: The temporary and session-bound nature of Security Tokens significantly reduces risk. Should a token be exposed (an unlikely event), its validity is limited to the current user session, making it far less risky than a permanent API Key.

Below is sample code for your custom HTML widget to update or create Rally objects directly from a Custom View

Sample code:

securityToken = window.parent.envConfig.securityToken;
 
export async function updateWsapiObject(ref,fieldsToUpdate,securityToken){
 
const type = getWsapiTypeFromRef(ref);
if (!type) {
throw new Error(`Could not determine object type from ref: ${ref}`);
}
const objectID = getObjectIDFromRef(ref);
if (!objectID) {
throw new Error(`Could not determine object ID from ref: ${ref}`);
}
 
// The data needs to be wrapped in an object with the type as the key.
const body = { [type]: fieldsToUpdate };
 
const url = `/slm/webservice/v2.0/${type}/${objectID}?key=${securityToken}`;

const response = await fetch(url, {
method: 'POST',
credentials: 'include',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(body)
});

const result = await response.json();

if (result.OperationResult.Errors && result.OperationResult.Errors.length > 0) {
throw new Error(`Error updating object: ${result.OperationResult.Errors.join(', ')}`);
}

console.log('Update successful:', result.OperationResult.Object);
return result.OperationResult.Object;
};

To Know more about APP SDK, API Keys and Security Token please check the below links.

• Rally EOL on App SDK and Custom Pages - https://knowledge.broadcom.com/external/article/408661/rally-eol-on-app-sdk-and-custom-pages.html 
• Security Token in Rally: https://techdocs.broadcom.com/us/en/ca-enterprise-software/valueops/rally/rally-help/reference/rally-web-services-api/authorization.html 
• API Keys in Rally: https://techdocs.broadcom.com/us/en/ca-enterprise-software/valueops/rally/rally-help/administration/it-administration/how-users-authenticate/rally-authentication-features/api-keys.html