It seems API access is very broad (admin) or very narrow (member). Is there a method to limit the scope of API access to a subset of equipment? For example, I would like to get the usage of a bridge in the last day, but I don’t need my application to be able to add new API keys, delete users or change account details.
If it’s possible, how would I configure Fabman to grant access to that information without allowing full admin API access to the client?
Hey @dennymingus,
we currently don’t offer additional access restrictions for API keys.
But you should never expose your API key to the client! Instead, the API key should be treated as a shared secret that stays on your server. Use it to fetch the necessary information from Fabman and then forward it to your client as needed.
That’s certainly the way we’re doing it. The API key is only used server-side.
I was just wondering if there was a way to use least privilege principles and it looks like there isn’t.
Not right now, unfortunately.