Summary: We currently lack a scalable and secure method for generating API keys for our external partners. This request outlines the need for a dedicated interface within the Contractor Module to allow self-serve API key generation, as well as a new, neutral method for provisioning API keys to third-party Aggregators without inheriting the creator's user permissions.
Current Behaviour / Problem Statement: This issue is currently two-fold and creates significant operational bottlenecks and security concerns:
Contractor Limitation: Contractors currently do not have the ability to request or generate their own API keys within the Contractor Portal.
Aggregator Limitation & Security Risk: Aggregators cannot request API keys because they do not exist on the portal as Contractors. Currently, the only way to generate an API key for an Aggregator assigns the key the exact same permissions as the internal user (Creator) who generated it. This violates the principle of least privilege and creates a security risk, as Aggregator keys should not be tied to an individual employee's permission set.
Proposed Solution / Requested Behaviour:
For Contractors: Introduce a self-service interface within the Contractor Module where authenticated Contractors can request, generate, and manage their own API keys securely.
For Aggregators: Develop a "Neutral" API Key Creation Interface. This should function like a service account, allowing internal admins to generate API keys for Aggregators with customised, scope-limited permissions that are entirely independent of the Creator’s personal user permissions.
This gets my backing