Skip to Main Content

This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Under review
Workspace API Connect
Created by Guest
Created on Mar 25, 2024

Configure the default error response to prioritise authorisation ahead of available resources

Today, if a consumer tries to call an API or endpoint that does not exist, they get a 404 response returned. This could be an attack vector by malicious users who want to find which endpoints are available.

We would like to see a configuration or option that allows 401s to be returned instead of 404s in order to reduce security vectors.

Preferred behaviour:

1. supplying invalid Application credentials, to an API that doesn't exist = 401 (instead of 404)

2. supplying valid Application credentials, to an API that doesn't exist = 404

Idea priority Medium
  • Guest
    May 20, 2024

    Thanks - this makes perfect sense to us as a viable solution option. This IDEA is raised to see if there's a future possibility to have the desired behaviour baked-in to the product; either as the default behaviour, or a selectable behaviour exposed without the need for an additional Global policy.

    Some Customers, wish to avoid any gateway customisation / additional points of maintenance.

  • Admin
    Dan Temkin
    May 16, 2024

    Default behavior can be changed and we have documented an example here, please updating the idea if this is not a solution to the request:

    3 replies
  • Admin
    Dan Temkin
    Mar 26, 2024

    This is being reviewed - but we are looking for more business justification. It is not required to have Application Credentials for API Connect, though it is highly recommended.