Document the scope of API Keys

[zaanposni]

I created an API key to test some stuff in postman and noticed that not all endpoints are actually allowing authentication via API keys.

{
    "statusCode": 401,
    "message": "Invalid jwt",
    "error": "Unauthorized",
    "path": "/api/projects/1/channels/"
}

Since you create those API keys in the project scope, I felt like this would be a logical step.

If this is not intended by you, I would suggest to document this and add a warning/info field in the client.

[h4l-yup]

@zaanposni

There are two types of API keys and two types of API endpoints, so it might confuse you.

First type of API endpoint is 'opened' API endpoint. There is only one endpoint for this type so far, 'creating a feedback' which must be able to be called from other applications. Therefore it needs the 'API KEY' which I think you made.

Second type of API endpoint is just for user feedback front-end web site. This type of endpoints use jwt internally and it can be made by 'sign in' API. With this jwt token, you can call all the other endpoints.

[h4l-yup]

As we do not have 'creating project' and 'creating channel' features in front page right now, you should get the jwt token from the signed in front web page and use it to create project and channel.

Sorry for inconvenience.

[zaanposni]

Yes I was talking about the first type of keys.

My point is that the API Key Managment page in the frontend just seems like a normal API Key page that you can find in all kind of applications. So I thought that this API Key has admin access (or a similar role) to the whole project.

It just feels like that you are in the "project" scope and not the "create feedback" scope. This is merely a UX issue in my opinion.

I think a solution like this could be helpful:

[h4l-yup]

Now I fully understand it. I would talk to our team designer to add it. Thanks for a good advice!