[Suggestion] Make specific names a requirement for API key use

[Wanze.8410]

These days there is a wide variety of Apps with different purposes that require an API key. Some of them require name-specific API key and some dont.

 

## Problem

 

Players share API keys for a variety of reasons these days but even, if they give it a specific name to use it for a specific app, other players can still use these API keys on Apps that dont require a specific name and they might reveal more information than intended.

 

## Solution

 

Make naming API keys a requirement for creation in our account menu and use on different apps.

[Zok.4956]

Every API-client can request API-data from a user with a valid API-key. So the user should be careful which app to trust for giving it his API-key. The given name within an API-key does not change that, because there is no client-identification or authorization of a specific client-app in the API.

 

I think a better and (more) secure solution would be, if an api-client can generate a public/private "app-client-key" and then shows its users its own public-app-key.

And then the user can "bind" his/her own api-key to a specific app-public-key within his A-net account administration.

And if a user-api-key is bound to a specific app-client-key, then the API-server from A-Net only allows requests for this key, if the requests are validated with the correct app-client-key. So the authorization and authentication is only done on the API-server-side by A-net (the only API-side we should trust).

 

Only then a "misbehaving" api-client can do nothing with this user-api-key.

 

 

[Lawton Campbell.8517]

Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

 

Also I don't have any freetime these days to rework the entire API key system :(

[Wanze.8410]

> @"Lawton Campbell.8517" said:

> Unfortunately, there's no way to do this in a backwards-compatible way. Implementing this would break a whole swath of apps that don't check the API key name.

>

> Also I don't have any freetime these days to rework the entire API key system :(

 

I guess you meant that you havent found a way **yet**.

 

Cant you just make the API key name a required (variable) permission?

[Malediktus.9250]

I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

[Elfo Bianco.3786]

> @Malediktus.9250 said:

> I am already annoyed by some websites forcing you to name your API keys in specific ways, it better does not become mandatory

 

I totally agree with Malediktus.9250