Jump to content
  • Sign Up

[Suggestion] Make specific names a requirement for API key use


Wanze.8410

Recommended Posts

These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont.

Problem

Players share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended.

Solution

Make naming API keys a requirement for creation in our account menu and use on different apps.

Link to comment
Share on other sites

Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API.

I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key.And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration.And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust).

Only then a "misbehaving" api-client can do nothing with this user-api-key.

Link to comment
Share on other sites

@Lawton Campbell.8517 said:Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

Also I don't have any freetime these days to rework the entire API key system :(

I guess you meant that you havent found a way yet.

Cant you just make the API key name a required (variable) permission?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...