Add an advanced API token option to allow selection of all API methods separately.
As a web-hosting provider, I would like to have the ability to customise which API methods are allowed when creating a token with full root access, so that it is more secure to use the API.
This would greatly improve the security of using API tokens. You should never allow full access to all API methods in order to limit the impact if the tool that uses the API is compromised.
We have encountered two cases where this would be helpful.
- transfer accounts between servers without allowing this token to delete accounts, add SSH keys, reboot the server etc.
- list all user accounts, including accounts owned by other users without allowing the api token to do anything else.
I would see this feature as an addition to the existing system as a simple ACL with checkboxes for all API methods that is only accessible when "Everything all root access" is enabled
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Hi Monarobase,
I have a scenario I want to pose to make sure I understand your request clearly. Are you envisioning a way to add an API token that (1) starts with allowing all APIs by default and then (2) lets you choose specific APIs you want excluded from access?
Hi Monarobase,
I have a scenario I want to pose to make sure I understand your request clearly. Are you envisioning a way to add an API token that (1) starts with allowing all APIs by default and then (2) lets you choose specific APIs you want excluded from access?
There are quite a few things you currently can’t do without providing access to all api methods with full root access. Doing this isn’t secure.
When full root access is required I want to have the ability to specify which api methods are allowed. I don’t mind how it’s achieved.
I want to have a way to have a token that can only transfer users to a new server or a token that can only list all users on the server. I want to remove the requirement to have to allow access to all api methods in order to use a single api method.
There are quite a few things you currently can’t do without providing access to all api methods with full root access. Doing this isn’t secure.
When full root access is required I want to have the ability to specify which api methods are allowed. I don’t mind how it’s achieved.
I want to have a way to have a token that can only transfer users to a new server or a token that can only list all users on the server. I want to remove the requirement to have to allow access to all api methods in order to use a single api method.
Replies have been locked on this page!