API Key Permissions/Restrictions to Reduce the Impact of a Leaked Key
It should be possible to restrict the call types that your API key is able to make in order to reduce the impact of a leaked/breached key.
For example, if my API key is accidentally exposed, an attacker could then go on to exfiltrate data from my account.
If it were possible to lock down your API key so that it can only make certain call types, the impact of such a breach would be drastically reduced.
For example, I could lock down my key so that it is only permitted to add/send emails to a particular mailing list. If the key were to be breached, the attacker would only have limited access, hopefully preventing a full-scale breach.
Jamie Scaife shared this idea