Title: API user capabilities (Security problem) Last modified: October 17, 2023 --- # API user capabilities (Security problem) * Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/) * Hello, you told me here for creating tickets programmatically I might use one Token only: [https://wordpress.org/support/topic/creating-tickets-with-api/](https://wordpress.org/support/topic/creating-tickets-with-api/) But if I do it like that, the user associated with the token needs also the capability to read tickets. Otherwise the creation fails (“unauthorized”).But if I do it this way WITH reading capabilities then a user who creates a ticket via API can copy the token out of the dev tools and then use it to read all tickets of all users via a Postman-GET-request with the Token. But I want everybody only to be able to read his or her own tickets.So how could I manage this?And sorry, I think I haven’t made clear, that this is via a plugin that runs on the same page and that users can see the requests via dev tools and read the token. - This topic was modified 2 years, 7 months ago by Anonymous User 20702716. Viewing 8 replies - 1 through 8 (of 8 total) * [miliighe](https://wordpress.org/support/users/miliighe/) * (@miliighe) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17131916) * Hello @lenaccp * Thanks for contacting us. * You have to use one of the mentioned authentication methods: * **[https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/](https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/)** * As you are already using JWT authentication, please follow further steps: * Please use the below API to generate a token for the particular user and send his username and password in it: * **[http://your-site.com/wp-json/jwt-auth/v1/token](http://your-site.com/wp-json/jwt-auth/v1/token)** * It will generate a token for that user, and store that token for future use. Now use that token in the other rest API as a bearer token. * Thank you. * Thread Starter Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17133042) * Thnaks, I managed to create a token and it works, but the problem is that the token should ONLY be used to create tickets and noting else as for security reasons. So I assigned a support agent rule and set the capacity to create tickets for the token’s user. The problem is that I cannot generate a user who can ONLY create tickets. To execute the request to create the ticket, the user ALSO needs the capacity to READ tickets. Otherwise I get 401 “unauthorized”. I have tested it by assigning and removing the capability to read.This means that a user who creates a ticket programmatically might use the token to read ALL tickets of ALL other users by reading the token and doing a GET-request via postman. This should not be allowed. * [miliighe](https://wordpress.org/support/users/miliighe/) * (@miliighe) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17134748) * Hello, * You can manage the users who can create on your site from Support > Settings > General Settings > General > Allow create new ticket > Add/Remove user roles. * Also, you can manage the capabilities of Support Agents like view tickets from Support > Support Agents > Agent Roles > Edit > Remove all the permissions except“ Assigned to me” for view tickets and others. * Thank you. * Thread Starter Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17135838) * Thank you again for answering. Unfortunately I can only get the creation of tickets via API to work, if the token’s user also has the capability to READ tickets ( not assigned, left column). So the token might be used by a customer to also read tickets of other customers.I just don’t know how so solve this. * [miliighe](https://wordpress.org/support/users/miliighe/) * (@miliighe) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17142871) * Hello, * As we have told you in a previous thread, you need to create a different token for each user so according to that token, the current user is defined. * Now, according to the current user role he can view and access the tickets. * There is no need to disclose the token to the customers. * Thank you. * Thread Starter Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17142898) * I am really sorry, but I am just confused. In this thread: [https://wordpress.org/support/topic/creating-tickets-with-api/](https://wordpress.org/support/topic/creating-tickets-with-api/) I understood I don’t need a token for each user and that I can operate with a technical user who does the job for all users. So I got you wrong?I don’t really know how to create a separate token for each user as I don’t have their passwords to create them. And didn’t then all the users have to be support agents? * Thread Starter Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17143151) * Maybe I try to stick with the one-token-solution, but somehow send the ticket fields from the frontend to the backend code and do the API request from there, so that the token is never present at the frontend and cannot be read via dev tools? Might this be a solution that works with ONE technical user token and is safe?I am really sorry to have to ask you so much, it is just that I never before did such a task. * Thread Starter Anonymous User 20702716 * (@anonymized-20702716) * [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17152822) * Hello, sorry for asking again, but I still haven’t found an acceptable solution to create tickets programmatically.So there is no way to give permission for the “supportcandy/v2/tickets/”-route only for POST and NOT for GET requests?The JWT plugins only allow the creation of tokens if I got a password as far as I understand it. To ask the users to type them again and then implement a function to create a token seems to be a bit overly complicated only to create tickets outside from your plugin code. That is why I wanted to operate with ONE technical user.There is also no other way to programmatically create a supportcandy ticket with custom code outside from your plugin on the same page? Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘API user capabilities (Security problem)’ is closed to new replies. * ![](https://ps.w.org/supportcandy/assets/icon.svg?rev=2763565) * [SupportCandy - Helpdesk & Customer Support Ticket System](https://wordpress.org/plugins/supportcandy/) * [Frequently Asked Questions](https://wordpress.org/plugins/supportcandy/#faq) * [Support Threads](https://wordpress.org/support/plugin/supportcandy/) * [Active Topics](https://wordpress.org/support/plugin/supportcandy/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/supportcandy/unresolved/) * [Reviews](https://wordpress.org/support/plugin/supportcandy/reviews/) * 8 replies * 2 participants * Last reply from: Anonymous User 20702716 * Last activity: [2 years, 7 months ago](https://wordpress.org/support/topic/api-user-capabilities-security-problem/#post-17152822) * Status: not resolved