User API keys specification

I like that the API key would be flagged explicitly as “allowed in GET” at the user level.

As a whole the option could be open for any GETs. The rule I like is, when operating in this mode:

  1. User API key is 100% restricted to a single specific GET controller action
  2. User API key is flagged as allowed in GET query params.

This limits the impact of any leak here via a proxy cause the key will never be reused.

I guess {get: 'list#new'} , {get: 'list#latest'} would work as well.

7 Likes