What exactly does API permissions do?

tnish · April 27, 2020, 12:06pm

What exactly is the purpose of the “Permissions” tab under API’s, in the dashboard?

I thought it was to ensure that an income request to the API had a particular scope, but this does not appear to be the case… I added ‘read:mystuff’ to the API permission list, and made a request to the API without that scope, and it (express-jwt) validates it just fine.

In order to require my api to require a certain scope, I had to use the express-jwt-authz middleware. With this middleware, it doesn’t seem to matter if I have the scope listed in the API permissions tab.

So, what exactly do the API permissions do??

lucas.sonich · April 27, 2020, 4:57pm

Hello. Welcome back!

The API permission list are scopes that are supported, not required. The scope enforcement comes from the API back-end. This must be programmed by you, we don’t provide it natively.

Thanks.

tnish · April 27, 2020, 10:11pm

Ok. Does API permissions have any effect, for example can you make a default scope for people logging into an application using the API, or is it merely for documentation purposes?

Does that mean that the “Enable RBAC” is the same? Does it actually change anything?