Launching /v2/tokeninfo
Lawton Campbell.8517:
/v2/tokeninfo is a fairly straightforward authenticated endpoint; you just toss your API key at it, and it returns some details about that key:
Example request/response:
{
"id": "017A2B0C-A6C5-CC4D-A055-680F427CE8FD",
"name": "public key",
"permissions": [
"account",
"characters"
]
}
This should allow for a poor man’s authentication using API keys — an application can request the key used have a specific name, thus preventing the unintended use of API keys (e.g., if you misplace a key applications can determine that the key was not intended for their use).
darthmaim.6017:
How long is this endpoint cached?
When using this endpoint to verify ownership of existing API keys I don’t want that my users have to wait (long), so maybe you could lower the cache time for this endpoint or even disable it. There is no reason this endpoint should get spammed with requests and I guess since it isn’t using any game resources it shouldn’t be too expensive.
Lawton Campbell.8517:
The key validity bits are uncached (e.g., when a key is deleted the endpoint will report immediately). The key name field is cached ~5 minutes.
I recommend recommending the creation of a new key for your application, if only because that’s really what people should be doing (a new key for each application) so that they can revoke individual keys if need be.
darthmaim.6017:
Yeah, thats what I am doing now
zeeZ.5713:
Just dumping this here because I’m not a fan of new topics and it’s semi related to this one :P
The “New Key” page currently reads
Set a name, description, and set of permissions for this key. The name and description fields are for your use.
First: There is no “description” field
Second: That those fields “are for your use” kind of implies to me that only I will be able to see the name of this key. It may just be a minor privacy thing, but I think people should be made aware that this information is available through the API.
Third, while we’re here: Maybe make it clear that all (current) scopes are read only.