API Security

Question

Hi All,&nbsp;I'm working with a development team and want to limit their access to sensitive data within our application.&nbsp; The developer will require making extensive API calls.&nbsp; I'm aware that this level of access can be used to gain access to basically all parts of an application.The proposed work around is to create a duplicate application, without sensitive data, where they can conduct most of their work prior to going live.&nbsp; The developer would be provided API access to this new application only.&nbsp; Is this possible?I've read the documentation here:&nbsp;https://help.quickbase.com/api-guide/authentication_and_secure_access.html.It appears to indicate that if the user is authenticating through a 'User Token' this can be made app specific and the develop will not be able to access other applications within the domain.&nbsp; If the developer is authenticating through a 'Ticket' then that ticket can be used to access the entire domain.&nbsp; Therefore, the developer should be given access only to the duplicate application and should authenticate through a 'User Token' they create.&nbsp; &nbsp;Is this correct?If anyone has experience with this I would love any feedback you can offer.&nbsp;&nbsp;Thanks!Jake------------------------------Jake R------------------------------

markshnier__you · Answer

When a User Token is set up, the owner of the Token can select which apps it will be valid for. Initially it will not be valid for any apps.

------------------------------
Mark Shnier (YQC)
Quick Base Solution Provider
Your Quick Base Coach
http://QuickBaseCoach.com
mark.shnier@gmail.com
------------------------------

jakerattner1 · Answer

Hi Mark,&nbsp;True.&nbsp; And that does make is seem like a good path to go down.&nbsp; My question is more to confirm this statement:&nbsp;&nbsp;"If I give a developer access to an app, where they can create a user token, they can apply that user token only to apps which they have been given access to.&nbsp; Therefore, they will not be able to use any API method to access the other applications in our domain"If the statement isn't true, is there another way to give a developer API access to one app, while restricting their access from any other apps on the domain.Thanks,Jake
------------------------------Jake R------------------------------

markshnier__you · Answer

Yes, when a user creates an app token, that app token becomes them, in terms of their permissions.

So if they were a viewer to an app, then anyone using their token would also just be a viewer, and if they had no access to an app then neither would their token. I have not tested if its possible to assign a User Token to an App where you have no access (ie I doubt that app would even come up on a list), but regardless if the userid does not have access to an app, then neither will be Token. And if the User later loses their access to an app, then so will their Token lose access.

------------------------------
Mark Shnier (YQC)
Quick Base Solution Provider
Your Quick Base Coach
http://QuickBaseCoach.com
mark.shnier@gmail.com
------------------------------

jakerattner1 · Answer

Thanks Mark.&nbsp; You are correct that if there is no access to the an application it will not appear in the list.&nbsp; Appreciate the feedback.&nbsp; That makes me more confident about securing our apps with this method.------------------------------Jake R------------------------------

Forum Discussion

API Security

Related Content

Secure Links for Instant Access and Full Control

API Button Help

Restful API Report digesting JSON

Pipeline API Post

Nesting URL API Calls in one Button