Microsoft Dynamics 365 Business Central provides several REST-based APIs that allow developers to create, update, delete data, and execute business logic. These APIs follow OData v4 standards, ensuring efficiency. This article focuses on the Application APIs, excluding the Automation and Admin Center APIs.
What is REST API
A REST API, or Representational State Transfer Application Programming Interface, is a tool that allows different software applications to communicate with each other over the internet. It defines how requests for data or services should be made, how to handle those requests, and how the responses should be formatted, typically in JSON or XML. The REST API is not the database itself, but specialized code that governs how an application can interact with and access the application’s data, ensuring that requests are properly processed and responses are correctly delivered.
Authentication
Because APIs provide access to sensitive data, it is important to use the most secure authentication supported by deployment. D365 Business Central supports multiple authentication methods for securing API access. The appropriate method depends on whether you are using D365 Business Central SaaS (cloud) or on-premises deployments. Below are the four main authentication types:
1. User Impersonation (Delegated OAuth 2.0 Authentication)
- Used when an application acts on behalf of a signed-in user.
- Requires OAuth 2.0 with Entra ID authentication.
- Ideal for scenarios where users log in and interact with D365 Business Central data via a third-party application (ex. Popdock).
- Permissions are based on the user’s role and security settings within Business Central.
2. Service-to-Service (S2S) Authentication (Application OAuth 2.0)
- Designed for background services and automated integrations that don’t require user interaction.
- Uses OAuth 2.0 with Entra Id app registrations and application permissions instead of delegated user permissions (ex. SmartConnect).
- The app is granted direct access to D365 Business Central APIs without user login.
3. Basic Authentication (On-Premises Only)
- Uses a username and password combination for authentication.
- Is supported in D365 Business Central on-premises but is deprecated in D365 Business Central SaaS for security reasons.
- Less secure than OAuth and not recommended for new integrations.
4. Web Service Access Keys (On-Premises Only)
- A method specific to D365 Business Central on-premises deployments.
- Uses a Web Service Access Key (generated per user) instead of a password.
- Enables API authentication without requiring Entra ID.
- Considered a workaround when OAuth 2.0 is not available.
OData v4 APIs
The OData v4 APIs provide a flexible way to query and interact with data, supporting advanced filtering and sorting. These APIs expose standard page objects, allowing a non-developer user to publish (almost) any D365 Business Central Page, Query, or Codeunit as an API. However, because these pages are tied to the user interface, they come with additional overhead. Depending how much logic is on the page, the performance can be greatly reduced when compared to the Standard or Custom APIs.
Advantages
- Easy to use for non-developers.
- Custom fields are natively available.
Disadvantages
- Poor Performance.
- No webhook support.
- Some page modifications are not compatible with the API.
Standard Business Central APIs (v2.0)
The Standard Business Central API v2.0 includes approximately 55 endpoints, offering easy access to core areas of D365 Business Central. These endpoints are built as API Page objects and are optimized for access through the API without loading user interface components, resulting in significantly better performance compared to standard page objects. However, the Standard API v2.0 has a big limitation – it exposes only a subset of available fields. For example, the Customer API includes only 27 fields, but the underlying Customer table contains over 200 fields.
Advantages
- Best performance.
- Available standard.
- Webhook support.
Disadvantages
- Very limited field list.
- APIs can’t be modified.
- Object and field names don’t match standard terminology.
Custom APIs (API Queries & Pages)
A D365 Business Central developer can create a custom API using an AL extensions, allowing them to expose specific data and business logic tailored to your needs. These APIs can be built using API Pages for structured entity access or API Queries for optimized data retrieval. Custom APIs offer greater flexibility than Standard APIs, enabling developers to include additional fields, apply complex filtering, and optimize performance for specific use cases.
Advantages
- Best Performance.
- Adapted to your unique requirements.
- Webhook support.
Disadvantages
- Requires custom development.
Conclusion
D365 Business Central provides a robust set of APIs that enable you to build powerful integrations and data access data outside Business Central. Whether using OData v4 APIs for flexible access, Standard API v2.0 for optimized performance, or custom APIs tailored to specific business needs, you have multiple options to interact with Business Central data efficiently.
Understanding the strengths and limitations of each API type is key to choosing the right approach for your integration. For lightweight, high-performance operations with the most control, custom APIs is often the best choice. When deeper data access is needed, and reduced performance is acceptable, OData v4 APIs offer greater flexibility
By leveraging these APIs effectively, you can extend the functionality of D365 Business Central and create powerful integrations that enhance productivity.
This is blog is the first in a series of three about integrating with Dynamics 365 Business Central. Read more in the following blogs:
If you have questions about REST APIs or how you can implement them in your environment, please contact us.
