Skip to main content

For API authentication we need to create an OAuth application. However, there is no way to limit the scopes that are allowed for token generated using the application.

This is particularly useful if you want to create an app and share the keys with a team member who just want read operations of the API. Currently we have to rely/trust on the application/developer not using the keys to generate an access token which can do write operations too.

It would be good if the admin has a way to limit the scopes which are allowed for an OAuth app. This is a common practice in Github and other places too.

This eliminates the possibility of misuse of API keys for purposes unintended. (Like in my example, somebody using the same keys to delete stuff etc.)

Thanks for sharing this idea @mefarazath and explaining how it would benefit you.

It is possible to set read-only scope, but indeed this only applies to the Community API  → the User API and Gamification API do not currently use scopes, which means that the keys could be used to create/delete user-related data.

Updated idea statusNewOpen
Terms & ConditionsCookie settings