#Call Backstage Backend API form another client

Is it possible to call a Backstage API (to get catalog registrations) from a client other than the frontend? Like another API?

It is possible. We have own entityProvider, which checks some data in the catalog (through CatalogClient) before applies the entity for the entityProcessor.

yes, and depending on how much permissions you've set up, you may need https://backstage.io/docs/auth/service-to-service-auth#usage-in-external-callers.

Not all APIs expect to be called from services, though. Scaffolder is one. for example

Thank you 🙂 I didn't see that buried in the docs!

@vital nova and @oblique dove we are yet to migrate to new backend however have got urgent ask to enable the auth for backend apis. We do have some external application consuming our backend apis. As per docs here https://backstage.io/docs/auth/service-to-service-auth/#external-callers-legacy we need to provide the decoded value of the backend secret to them to generate jwt token. What is the best way to implement this complete integration? How external callers can generate jwt by accessing our secret key in a secured manner?

That's up to them. That's the drawback of that legacy method. You give them the secret (either the base64 encoded one or decoded, that's up to you as long as you tell them which one it is)

And then you point them to the docs and tell them to make JWTs with those instructions

How they do that depends on the language and platform they are on

We, since we're on nodejs, use the jose library to make tokens but on other platforms there will be other preferred libraries

I'd almost recommend leaving the backend unsecured as long as you are on the old backend system, and instead deploy it behind your firewalls

And then open a small ingress somewhere that accepts static auth, and proxying through that to the actual backend within your perimeter