Imported Google Group message. Original thread at: Redirecting to Google Groups Import Date: 2016-01-19 21:13:27 +0000.
Sender:Jayadatta Vallabhaneni
.
Date:Wednesday, 20 May 2015 19:51:33 UTC+1.
Hi Martin,
I am working on a scenario where a developer have access to multiple API’s. What i am seeing is that by using any of the keys under his profile, user is able to invoke the API’s even though the key was not requested for it. Could you please let me know if this is how it is supposed to work?
Step to replicate.
Create two API’s ( API1 , API2).
User signs up in portal.
Request keys for both the API’s. Two separate keys (key1 for API1, key2 for API2) generated and shared with the user.
Below is the user profile snippet from portal_developers collection for the user
“org_id” : “5558f0657650d0004c000001”,
“api_keys” : {
“be60e1ec083a4191707d75fcc83fd0d7” : “5558f0657650d0004c000001187b6af9fe5742966146f041c02f033c”,
“d34e97e5712945727e5dc93114ce47ed” : “5558f0657650d0004c00000135cd38bde4e344954bde1744a275396d”
},
Now with Key1, user is able to call API2 and with Key2, is able to call API1.
Thanks,
Jay