Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Add an advanced API token option to allow selection of all API methods separately.

Monarobase shared this idea 4 months ago
Need More Information

As a web-hosting provider, I would like to have the ability to customise which API methods are allowed when creating a token with full root access, so that it is more secure to use the API.

This would greatly improve the security of using API tokens. You should never allow full access to all API methods in order to limit the impact if the tool that uses the API is compromised.

We have encountered two cases where this would be helpful.

- transfer accounts between servers without allowing this token to delete accounts, add SSH keys, reboot the server etc.

- list all user accounts, including accounts owned by other users without allowing the api token to do anything else.

I would see this feature as an addition to the existing system as a simple ACL with checkboxes for all API methods that is only accessible when "Everything all root access" is enabled

Replies (2)

photo
1

Hi Monarobase,

I have a scenario I want to pose to make sure I understand your request clearly. Are you envisioning a way to add an API token that (1) starts with allowing all APIs by default and then (2) lets you choose specific APIs you want excluded from access?

photo
1

There are quite a few things you currently can’t do without providing access to all api methods with full root access. Doing this isn’t secure.

When full root access is required I want to have the ability to specify which api methods are allowed. I don’t mind how it’s achieved.

I want to have a way to have a token that can only transfer users to a new server or a token that can only list all users on the server. I want to remove the requirement to have to allow access to all api methods in order to use a single api method.

Leave a Comment
 
Attach a file