Currently the only authentication options for an application using your awork API are to have an API key issued with admin permissions or to authenticate via an OAuth2 flow. Since we would like to run an application without requiring every user to do an authentication first, the OAUTH2-flow is not optimal for us. At the same time we would like to restrict the access privileges of the app to a read-only level. Ideally we could use the already existing permission system within awork for that. This allows us to create a low-privileged user role, however it is currently not possible to assign user roles to api-clients, specifically api-keys for a client. We think this would be a welcome feature and kindly ask that you consider adding this in the future. If you have any further questions for our use case, I will be happy to answer them.
Hi @mkittelberger, thanks for the feedback, we will add it to our feedback list.
What is the issue with using an admin-level token for an integration? Or if it is a user-level integration, why not use OAuth?
We would like to have have a non-interactive background syncing task which is supposed to only fetch data. I.e. the app should never be able to write/change anything in our awork projects which reduces the risk if the API key is leaked or the app accidentally misuses the API in any way. While OAuth can be used by a user that is mapped to a custom-defined read-only role we would like to not have to provide a dedicated user for this task.
Got it, so a read-only token that has access to all data would be what you’re interested in?
That would be a start, ideally we are interested in an API token that one could give the same permissions as to a user.