Oracle ERP Cloud
ERPsystem_type: "oracle_erp"Proxy Oracle Fusion REST APIs (Financials, SCM, HCM) with PQC-sealed basic_auth or OAuth2 credentials.
Overview#
The Oracle ERP Cloud connector proxies calls to Oracle Fusion REST APIs across Financials, Supply Chain Management, and Human Capital Management modules. Basic auth or OAuth2 client credentials are sealed in QuantaVault and used to authenticate each proxied request.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1An Oracle Fusion Cloud instance with REST API access
- 2A service user account or OAuth2 confidential application in Oracle IDCS
- 3Your Oracle Fusion base URL (e.g. https://yourinstance.oraclecloud.com)
- 4A QuantaSeal API key
Configuration#
Follow these steps to connect Oracle ERP Cloud to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In Oracle IDCS, create a Confidential Application and note the client_id and client_secret.
- 2
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client.
- 3
Create the integration: POST /api/v2/integrations with system_type: oracle_erp and your Fusion base URL.
Authentication Types#
Oracle Fusion supports both HTTP Basic auth (username + password) and OAuth2 client_credentials via Oracle IDCS. Use oauth2_client for production. Store credentials via POST /api/v2/vault/seal.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
query | Query Oracle Fusion REST collections with OData-style filters. |
create | Create a Fusion business object. |
update | Update a Fusion business object by primary key. |
get | Retrieve a single Fusion business object. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRORACLE00001",
"operation": "query",
"payload": {
"module": "financialCommonComponents",
"resource": "ledgers",
"limit": 10
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted Oracle response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
401 - WWW-Authenticate: Bearer realm
Your OAuth2 token has expired or the IDCS application does not have the correct Oracle Fusion grant. Re-check the client credentials and OAuth2 scope in IDCS.