[Suggestion] Make specific names a requirement for API key use — Guild Wars 2 Forums

[Suggestion] Make specific names a requirement for API key use

These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont.

Problem

Players share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended.

Solution

Make naming API keys a requirement for creation in our account menu and use on different apps.

Tagged:

Comments

  • Zok.4956Zok.4956 Member ✭✭
    edited September 13

    Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API.

    I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key.
    And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration.
    And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust).

    Only then a "misbehaving" api-client can do nothing with this user-api-key.

  • Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

    Also I don't have any freetime these days to rework the entire API key system :(

    asdadasd

  • Wanze.8410Wanze.8410 Member ✭✭

    @Lawton Campbell.8517 said:
    Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

    Also I don't have any freetime these days to rework the entire API key system :(

    I guess you meant that you havent found a way yet.

    Cant you just make the API key name a required (variable) permission?

  • I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

  • @Malediktus.9250 said:
    I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

    I totally agree with Malediktus.9250

©2010–2018 ArenaNet, LLC. All rights reserved. Guild Wars, Guild Wars 2, Heart of Thorns, Guild Wars 2: Path of Fire, ArenaNet, NCSOFT, the Interlocking NC Logo, and all associated logos and designs are trademarks or registered trademarks of NCSOFT Corporation. All other trademarks are the property of their respective owners.