[Suggestion] Make specific names a requirement for API key use — Guild Wars 2 Forums
Home API Development

[Suggestion] Make specific names a requirement for API key use

These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont.

Problem

Players share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended.

Solution

Make naming API keys a requirement for creation in our account menu and use on different apps.

Tagged:

Comments

  • Zok.4956Zok.4956 Member ✭✭✭
    edited September 13, 2017

    Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API.

    I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key.
    And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration.
    And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust).

    Only then a "misbehaving" api-client can do nothing with this user-api-key.

    https://www.gw2gh.com/ - A GW2-Guild-Hall.
    Register and check your guild leaderboard to see who is the best in your guild and who finished achievements first.

  • Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

    Also I don't have any freetime these days to rework the entire API key system :(

    asdadasd

  • Wanze.8410Wanze.8410 Member ✭✭✭

    @Lawton Campbell.8517 said:
    Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

    Also I don't have any freetime these days to rework the entire API key system :(

    I guess you meant that you havent found a way yet.

    Cant you just make the API key name a required (variable) permission?

  • Malediktus.9250Malediktus.9250 Member ✭✭✭✭

    I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

  • @Malediktus.9250 said:
    I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

    I totally agree with Malediktus.9250