API Key "Account" permission -- split up?
Archranis.2375:
It seems straight-forward that to access account information the associated GUID is required; presumably this is why the “account” level permission is required when creating an API Key.
But why does this also include “display name”, “home world”, and “list of guilds”? I don’t see how those are required to access account information, I think they should be allowed/disallowed separately from the account GUID. For example, why would a third-party app need to know my display name — ever? Is it so the author of the app can search my forums postings?
Request/Suggestion: Could the API Key permissions be partitioned a little so that the GUID is the only “required” permission (i.e., “account” permission == GUID) and the remainder of the “account” permissions are broken out into their own group?
Lawton Campbell.8517:
From a technical standpoint, the API is implemented by a Javascript “frontend” on top of a collection of backend servers — the backend servers enforce all the scopes. Pretty much all of the authenticated endpoints needs the user’s game account ID, which is a secret distinct from the account GUID we return and is only accessible internally with the “account” scope (why that scope is required for all API keys).
At this point, it would be fairly difficult to change the behavior without affecting third-party applications.