API Key and Bearer Tokens

QUESTION: Do we need both an API key and a bearer token? I tried just sending the bearer token but didn't have success - outside of potentially setting scopes on the API key, it doesn't seem like there's any added security when the API key has the power to authorize as any identity using `/authorizealias`. It seems like we should have some way to enforce the identity of the bearer and not proliferate API keys?

ANSWER: The API keys are a requirement on our public instance ( and are pretty standard when dealing with 3rd party integrations ), but can be made optional on enterprise deployments by changing the server configuration. However, you will lose a level of traceability since aside from scoping, the API keys are used for identifying the application that is making that call.

Sign In or Register to comment.