Docs: Clarify how /customer-portal/license-keys endpoints rely only on the license key for authorization vs. an access token
#4800
Labels
docs/content
Developer & product docs, guides and content
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
All our endpoints rely on access tokens to authenticate and authorize requests. Except
/customer-portal/license-keys. This is by design and standard across other/all license key services. Why?The license key acts as the authentication & authorization. Allowing developers to avoid having to leverage and include a PAT with their applications to leverage license key validation. For instance a macOS App could integrate our license key API and activate/validate license keys provided by the customer in-app without having to bundle a PAT string into the binary (security risk).
Customers enter their license key that only they should know about (except the seller & Polar too - all trusted parties in this context) and the APIs can rely on it being authentication/authorization to make requests for that specific key.
We should document this to avoid it being a surprise or causing confusion or be seen as a potential security vulnerability.
The text was updated successfully, but these errors were encountered: