API Keys: Account Permission
pmnt.4067:
I have a question about the permissions for API keys. Why is the “account” permission mandatory?
It seems to me that the most popular applications for the API keys is to calculate the gold value of the bank/material storage/inventory. To work properly, these applications need the “inventories” and “wallet” permissions, but wouldn’t strictly need the “account” data.
I see the theoretical possibility that such a “net account value” application could use the API data to select profitable targets for hacking attempts. If the account permission wasn’t necessary, the applications could still work properly to calculate the account value, but don’t know which account is worth so much.
Is there a technical reason why the “account” permission is mandatory? Or am I the only one who is paranoid enough to think of this scenario?
Lawton Campbell.8517:
The API “frontend” doesn’t have permission to do anything; the permissions are enforced by other backend servers. To talk to the backend servers about an account, we need to get the account ID which requires the “account” permission.