Use API Key authorization and don't bind it to a user

Two things:

First: Use a real API-Key based authorization, not a base authentication with an "API key" as user name and password "X".

I don't think that's really secure. "X" is a bad password. If you can't do better than only base auth, then let us set the password.


Which brings me to:

Second: Don't tie the "api key" to a user. Have a distinct, unique api key (or "system user" with separate login and password to be set by the admin) that can be used for API calls, like ticket creation and the like *without having all tickets created by the same user* (as it is right now and completely screws with the reports).


2 people have this question
Login or Signup to post a comment