I would suggest:
- Changing your auth mechanism to “Auth Token” and set the location of the token to use the Header
x-internal-authorization - In your plugin, hash the
rawAuthorizationstring - Use the hash as the key for the session (or, if you want to go a step further, use
orgID+hash(rawAuthorization)) - Add the hash as an
x-internal-authorizationheader
Reasoning:
- Open API’s do not process rate limits or quotas
- Open APIs, since there is no token, do not collect analytics per user
- It means you can modify the session from the dashboard (if you use the orgID as a prefix)
I would also strongly suggest turning off master keys, it basically means that the inbound session has access to ALL APIs if the access list is empty. This might be ok for a PoC, but it’s not a safe mode.
M.