What is the problem?
Workflows in Freshservice are really great but the more you use them with external integration the more you rely on the API to be available and the API calls to work and not fail due to some reason.
Main issues we’re facing and ideas for that:
- API Keys and restrict users
Every single agent (300-400 for us) has an API key and can use the API even if I don’t want them to use it. There is no possibility to restrict this behaviour. It should be the other way around, I allow specific users to use the API instead of generally allowing the usage.
- Rate limit and monitoring
- Notification about errors in web requests
E.g. my third party integration failed because the rate limit from freshservice was reached and I needed to pull data via API (or any other error). How do you get notified about this? In Freshdesk admins get an email about failed web requests - not in freshservice. If you want to get a notification you can use the best practice I documented in the community using this Link. We need a better overview of the requests, the results and if we want to get notified about errors.
- Who uses the API?
At the moment freshservice doesnt have the ability to see who used the API to see why the API limit is reached. I need to ask freshservice support, they send me an excel file and in the far background they themself can see the user who has sent so many requests to the API that my third party integration failed. We run into issues with rate limit very often and are hardly struggling to run our third party integrations speaking to our freshservice instance.
- Notification about errors in web requests
- Unauthorized requests
Tell me your freshservice URL and I can exceed your rate limit without having a valid API key. I could write a script that sends 1000 unauthorized api calls to your productive freshservice instance per minute and that would reduce your rate limit even if my requests are not authorized. My API integrations that rely on freshservice api can easily get ddosed.
If you ask the freshservice support they can manually block IP adresses but that’s it. Unauthorized requests should not count towards the rate limit. Following my first point about restricting users from api usage that should help here as well. Also having a timeout for users that exceed the limit very often or I’d be happy about any other improvement.
Example:
Simple API call to support.freshservice.com without a valid API key. I sent 6 requests to their endpoint and the ratelimit is reduced by 6. A simple script with a loop and their productive instance API rate limit is reached.
- Money
Having a lot of external applications trying to access freshservice literally costs a lot of money as they all need a valid fulltime license + account. Best practice recommended by freshworks is to use single accounts for every integration. Just as a side note. See this topic in the idea section to get additional licences for tec accounts: Link
