What exactly is the purpose of the “Permissions” tab under API’s, in the dashboard?
I thought it was to ensure that an income request to the API had a particular scope, but this does not appear to be the case… I added ‘read:mystuff’ to the API permission list, and made a request to the API without that scope, and it (express-jwt
) validates it just fine.
In order to require my api to require a certain scope, I had to use the express-jwt-authz
middleware. With this middleware, it doesn’t seem to matter if I have the scope listed in the API permissions tab.
So, what exactly do the API permissions do??