Edit API key add/remove perms
Rashy.4165:
It has likely already been considered, but the “Edit” option should allow us to change the permissions associated with a particular API key. Currently, the only way to do it is to create a new key with the new permissions and delete the old key, then update whatever application with the new key.
If there’s a valid reason for why that’s not available, that’s fine (whether it be a limitation with OAuth, or perhaps for security purposes).
Lawton Campbell.8517:
It’s a limitation with OAuth2. The API keys are currently secretly actually the bits required to construct an OAuth2 access token (specifically, they’re a refresh token and a client id). The OAuth2 spec doesn’t let you add permissions to keys, and since our OAuth2 implementation enforces this, there’s no way to change it without making API keys not use OAuth2 as a backend.
It’s something that’s bothered me as well; we had some internal talks about making a backend system dedicated for API keys but it’s a fairly high cost project for relatively little payoff, so I doubt it’ll happen any time soon.
That said, there probably won’t be any new permissions for a long while.
Rashy.4165:
That said, there probably won’t be any new permissions for a long while.
That works. Thanks for the response