In the code that consumes the REST API you would need to proxy through the same session token. We do this using cURL. The downside is that you would need to keep separate auditing on the consumption side since everything in X3 would be audited using the single user and session ID.

I would much prefer that REST API's not consume badges as that gets horribly expensive, particularly since the sessions aren't easily killed from what I can tell.

Are you using sdata to make your API calls?

I'm not sure what you mean by using sdata?  Below is an example of the calls we are using:

https://<x3serverurl>:8124/ api1/x3/erp/<endpoint>/ITMMASTER?representation=ITMMASTER.$query&where=CREDAT ge @2020-01-01@ or UPDDAT ge @2020-01-01@&count=50

We were using sdata instead of api1 and had similar issues. But I see by your link that you are using ap1 already.

Sorry, the only thing I could recommend is to check out your nodelocal.js file on the webserver and it has the api1SessionTimeout and statelessTimeout set.

Please see this knowledge base article for more help.

support.na.sage.com/.../viewdocument.do