Feedback wanted: API Tokens

On October 5th’s maintainer call we talked briefly about API tokens and a few aspects of API tokens were raised that requested adopter and maintainer feedback.

  • Adopter/maintainer feedback on token creation
  • Scoping what tokens have access to private vs. public information from a Hypha ‘instance’
  • Any other concerns re. API tokens.

Background context: A token within the Contracting and compliance feature set allows open full access to a certain area.
Do we want to have roles and users have different access to API tokens for certain sections for API key access etc. for admin, finance, access to areas etc.
@frjo Can you add any more context here from contracting and compliance work for OTF?

(I, Eriol do not know much, or anything about tokens beyond general knowledge :sweat_smile: but was suggested this is a good explainer for folks:

thank you!

public scope:

  • would be anything that’s already public (requests, funds, labs, applications, etc)

private scope:

  • initially, just a full admin rights token but not any of the public stuff (so that folks don’t use private keys for public stuff and then put fully priv. keys out there)

later, allow custom private token scopes that align with object permissions when you add group (ie just like making a new group but not for users for token issue). see /admin/groups/new/ in hypha. make sense?

This seems like a good try out of our new @Adopters and @Implementers group mentions.

1 Like

How do permissions for these different roles work in Hypha now, if they are not generated via API tokens?