Use API Key authorization and don't bind it to a user
First: Use a real API-Key based authorization, not a base authentication with an "API key" as user name and password "X".
I don't think that's really secure. "X" is a bad password. If you can't do better than only base auth, then let us set the password.
Which brings me to:
Second: Don't tie the "api key" to a user. Have a distinct, unique api key (or "system user" with separate login and password to be set by the admin) that can be used for API calls, like ticket creation and the like *without having all tickets created by the same user* (as it is right now and completely screws with the reports).
2 people have this question