We've moved discussions to Discord

should the api key be set on a user's personal team or on the user?

Roberto Plancarte
I've been thinking of adding api keys with permission to edit my teams, and have the team share that key. Since the point of personal teams is to treat users the same way we do teams, shouldn't the api key for a user be set on their personal team and not on the user model itself?
Chris Oliver
Hey Roberto!

Think of API tokens as a way to authenticate as a specific user and give access to the same things in the API as if they had just logged into their account like normal. 

API tokens should belong to User so that you can determine which user is doing things, not a team. This adds a lot of benefits in that you can have solid logging of user actions, but also revoke an individual user token instead of a whole team's token. 

In the case of the personal team, there's no reason to treat it uniquely so you can use the same logic for both regular and personal teams. That keeps it simple and you're not building different code for personal or regular teams. That is just going to lead to a mess in the long run.

If you wanted to add permissions, you can add a team_id to your API token model so that it can only be used for a specific team. If it was set to null, you could let them access any team the user has access to.
Roberto Plancarte
That makes sense. thanks :)
Notifications
You’re not receiving notifications from this thread.