Hi @Sam123 ,
- @MicroserviceApplication adds a lot of implicated dependencies and annotation including Spring Security. The health endpoint in general is without any auth requirement, all other endpoints must be authenticated with a valid cumulocity user. So no, you always have to pass Cumulocity credentials even when run it locally (except the health endpoint).
- The bootstrapuser is just for retrieving the service user for each tenant. I think I made this clear now multiple times. You should not use that in any other API Call of your microservice (even when it is working). The service user permissions are defined in your manifest file.
- (your 1.). Env. MULTI_TENANT is needed locally only (I don’t know the reason though but if you want to run your microservice locally this must be set.)
- (your 2.) Yes, if you don’t protect your REST endpoints this is the expected case. You can use any user without any permission to call the microservice endpoint including the bootstrapuser… still you shouldn’t do that. Internally the service user is used, that the reason you user you authenticating with doesn’t need any permission.
- (your 3.) There is a java doc available Overview (Cumulocity Microservice SDK)
Still I think you should have started with a pre-defined and configured microservice as a template and adapting that to your needs.