Restrict Access to the API - Open Data API
Any user who wants to access the API must have an API key (which is obtained by logging into SuperWEB2 and viewing the Preferences page).
By default, all users will be able to obtain an API key from SuperWEB2, but if you do not want all your users to have access to the API you can restrict it so that keys are only available to users who belong to specific SuperADMIN groups.
Restrict Access to API Keys
To restrict API key access, make sure your users are organised into groups, then run the following command in SuperADMIN:
cfg global superadmin.apiToken.groups set <list_of_group_ids>
Replace <list_of_group_ids>
with a comma separated list of groups that should have access to keys. Users will only be able to obtain an API key if they belong to one of the specified groups.
For example, the following command ensures that keys are only available to users who belong to the administrators
or powerusers
groups:
cfg global superadmin.apiToken.groups set [ "administrators", "powerusers" ]
Prevent Any Users from Accessing API Keys
If you do not want any users to be able to access API keys through SuperWEB2, then simply set the superadmin.apiToken.groups
key to any empty array:
cfg global superadmin.apiToken.groups set []
Allow All Users to Access API Keys
If you want to allow all users to access API keys, run the following command:
cfg global superadmin.apiToken.groups remove
Revoke an API Access Key
The above commands can be used to prevent users from obtaining API keys for their accounts. However, any user who has already obtained an API key will still be able to use that key.
You can invalidate a user's existing key by running the following command in SuperADMIN:
account <user_id> invalidate token
For example, to invalidate the API key currently assigned to the user jsmith, run the following command:
account jsmith invalidate token
This command invalidates the user's current key, but it does not prevent the user from obtaining a new key in SuperWEB2.
If you want to turn off a user's API access you should use this in conjunction with the command above that restricts which groups can obtain keys in SuperWEB2.