API Keys: Account Permission

API Keys: Account Permission

in API Development

Posted by: pmnt.4067

pmnt.4067

I have a question about the permissions for API keys. Why is the “account” permission mandatory?

It seems to me that the most popular applications for the API keys is to calculate the gold value of the bank/material storage/inventory. To work properly, these applications need the “inventories” and “wallet” permissions, but wouldn’t strictly need the “account” data.

I see the theoretical possibility that such a “net account value” application could use the API data to select profitable targets for hacking attempts. If the account permission wasn’t necessary, the applications could still work properly to calculate the account value, but don’t know which account is worth so much.

Is there a technical reason why the “account” permission is mandatory? Or am I the only one who is paranoid enough to think of this scenario?

I can’t wait until ANet releases the game promoted in the manifesto.
Until that, I’ll play GW2.

API Keys: Account Permission

in API Development

Posted by: Lawton Campbell

Lawton Campbell

Web Programmer

The API “frontend” doesn’t have permission to do anything; the permissions are enforced by other backend servers. To talk to the backend servers about an account, we need to get the account ID which requires the “account” permission.