Basic REST API question (about User selection while creating Keys)

  • Resolved maps1990

    (@maps1990)


    4 years, 11 months ago

    I’ve read the official Woocommerce REST API documentation and there is something I don’t understand, I can’t find the answer anywhere else either.

    Context: I am a shop owner and a marketplace that I will work with asks me for an API key, to display my products in their store (pictures, description, stock, etc).

    Question: I go to Settings and while creating an API key, after the description, Woocommerce asks to select a User, so should I:
    a/ choose myself as the User, and then give this key to the marketplace (and give this same, unique key, to every third party that asks for an API key)?
    or
    b/ should I go create a specific User for the marketplace (and create a specific, distinct User and API key to every third party who need an API key in the future)?

    If a/, I guess giving a key with Admin privileges to third parties is not a best practice, so should I select only “Read” (instead of Read/Write) to avoid issues?
    If b/, what user role should I select (“Client”?) and should I choose read and/or write?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Stuart Duff – a11n

    (@stuartduff)

    Automattic Happiness Engineer

    4 years, 11 months ago

    Hey @maps1990,

    I’d personally create a new user for the API key recipient. Then generate an API key that is Read-only for that recipient.

    Image Link: https://cloudup.com/c1I0c7fPERc

    This approach lets you control users keys in case they have an issue with those. If they’re in some way abusing the API access you can then also easily remove a particular user, company API access Key.

    I hope this helps 🙂

    Thread Starter maps1990

    (@maps1990)

    4 years, 11 months ago

    Hi Stuart,

    Thanks a lot for your reply.

    About creating one specific key per user : I came to the same conclusion (for the same reason).

    About the type of user to select (Client, Admin, etc), if it helps other readers: after having been confronted to the need of creating another API key for another third party, who needed Read AND Write accesses, I felt that the default user roles (Admin, Shop Manager, etc) would inevitably give too many rights compared to what was needed, and I got aware that several plugins enable you to create new user profiles, so that you can give only the rights you need to give (e.g. “change an order status”, or “add a product”, etc).

    Hope this helps too.

    Cheers

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Basic REST API question (about User selection while creating Keys)’ is closed to new replies.