HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
User Level API token for Vanilla Forums
I have been exploring the Vanilla Forums API to extend it to an iOS application. I have found that, the APIs that are exposed are mostly Admin level APIs. A normal user doesn't even have a dashboard access to get to know the API key or the Access Token.
In this case, the API usage gets restricted only to admins and not to normal users. Can I have a solution for this issue and is there any future plans of exposing user level API keys?
@AravindS I think you are getting slightly confused.
You don't expose you credentials to anyone, not moderators, not second party admins, etc.
Only the webmaster/developer should know the credentials.
API is most for server to server communications, so you need to abstract. You don't give ordinary users that much control.
API would be appropriate for communicating from an application not on the framework tot he framework. if you think it for user to use directly, it isn't used that way, not with API key.
if you want to do client side operation, you can use ordinary sessions, not the API Key. As in they would have exactly the same privileges they would ordinarily have, and would be already logged in. Alternatively you can proxy operations, but you never expose the credentials.
grep is your friend.
User level api keys would imply that you want user to store their credentials somewhere, if there is not a secure place to do this, this is not a viable option. As in they are using a third party software, to control stuff on the site that has their roles an permissions. Instead of login?
But on the other hand this application could prompt them to login and hold the session cookie, in which case they could use normal session, approach to the APi. If this is not appropriate, given you will be developing this application, why not you develop the the user level key part?
grep is your friend.