We’re currently building a WordPress plugin to integrate a developer portal with WP. The workflow is as follows:
- User registers as developer -> automatic registration on Tyk API as a developer
- Get list of policies (each representing access to an API)
- User chooses a policy -> key request is submitted on Tyk API (and optionally, automatically approved)
- Token is saved as key_request_id / token_name (user input) / policy_id
For security reasons, we’d rather not store the token itself, we just show that to the user once.
I’m trying to find out how a user could revoke one of his tokens. The tokens API expects you to know the api_id and token. The api_id is tricky since a policy can allow access to several APIs, so we don’t know the api_id for sure. The token itself we don’t have at all.
Do you see a solution here? For example, if tokens had an unique ID we could store that and use it to revoke the token.
Or do we have to store the token for this to work?