Permissions management for API Keys
Your Sending API Keys limits to just the sending portion of the available API. Can you expand this to include the Bounce API?
We use a Wordpress newsletter plugin called Mailster and as it needs access to the Bounce API it requires the account level Private API Key which is excessive for the use case.
Could you either expand the Sending API key to include the Bounce API or more elegantly allow users to manually configure what permissions to give an API key for their specific use case.
Hello,
Thank you for your previous feedback. We released Role-based Access Control for API Keys. This will allow an admin user to create API keys using pre-defined roles which manage what level of access that API key has. Roles to choose from will be Analyst (Basic), Support, Developer, and Admin. Please let us know if you have any questions. We will mark this idea thread as complete.
-
Jamie Scaife commented
Security Feature:
It should be possible to restrict the call types that your API key is able to make in order to reduce the impact of a leaked/breached key.
For example, if my API key is accidentally exposed, an attacker could then go on to exfiltrate data from my account.
If it were possible to lock down your API key so that it can only make certain call types, the impact of such a breach would be drastically reduced.
For example, I could lock down my key so that it is only permitted to add/send emails to a particular mailing list. If the key were to be breached, the attacker would only have limited access, hopefully preventing a full-scale breach.