ability to assign roles/permissions to api keys

[bninja]

currently if i create an api key it has full access to the api.

it's useful to be able to create api keys with a limited set of permissions (either by assigning the api key a role or by explicitly setting permissions). this would allow me to e.g. hand out limited permission keys to 3rd parties or give team members limited control over the dashboard.

additionally i'd like to be able to see:

• which triggered events (e.g. which one was used to cancel a credit)
• which where used to access the api (e.g.which one was used to read transaction data).

[mjallday]

Would oAuth be a good solution here? It allows assigning permissions based on URIs (scope) and would allow setting an expiration on keys when they are handed out. It would also make it easy for 3rd party integration.

[bninja]

@mjallday sounds like what oauth (2.0?) was designed for, so yea lets explore using that. i guess the dashboard would be the initial consumer so lets validate our choice that way.

[trea]

I'd love to see OAuth 2 implemented! +1

[mjallday]

We're getting some love for this issue over on the balanced-dashboard as well

[benblair]

+1 We've seen some reluctance on the part of new sellers on our marketplace to trust our assertion that we have the buyer's funds on hand during a transaction. I think it would go a long way if they could verify directly with Balanced that payment for that particular transaction had been received.

[steveklabnik]

This is being worked on, but hasn't been finished yet!

[ariofrio]

Any progress on this? I think this would be not only really useful, but serve as a security feature by limiting what an attacker can do if they gain control of a server that only has access to a limited-permission API key.