Restrict API Usage

Discussion in 'LiquidFiles General' started by Paul Hirose, Aug 8, 2024.

  1. Paul Hirose

    Paul Hirose New Member

    Joined:
    Jan 10, 2020
    Messages:
    17
    Likes Received:
    0
    Is there a way to limit which users (preferably by group) can use which (or any) API?
    All users get an API key (whether they know it or not). I use the API for administrative purposes so I can't globally disable them. But can I restrict API access to only certain users, api-keys, or IP list?

    Thank you,
    PH
     
  2. David

    David Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    806
    Likes Received:
    31
    By default all local users and admins have access to API and generated some API key.
    When most of users should not have access to API then in these users groups (Admin > Groups > edit Group i.e. Local Users)
    disable the "Users in this group have access to the API (for Outlook plugin, other plugins and integration)" checkbox under the "Basic Settings" tab.
    For the local users who should have access to API you can create a custom local users group (Admin > Groups > Add Group).
    In this group enable the "Users in this group have access to the API (for Outlook plugin, other plugins and integration)" checkbox.
    Assign the required users who should have access to API into this custom group.
     
  3. Johan

    Johan Administrator
    Staff Member

    Joined:
    Dec 1, 2015
    Messages:
    41
    Likes Received:
    1
    In regards to what users can use what API, this simply matches what the user is permitted to do (on a per group basis). On default Local Users have access to all features, and all APIs. If you disable Secure Messages for a group, they won’t be able to use Secure Messages on the web interface or using the API, including from any plugins. The same goes for any settings, let’s say you disable the ability for a group to change message expirations, and force all messages to have an expiration of 60 days. This would then be the same regardless if the user use the web interface, the API or any plugin.

    It’s not possible (or planned) to permit a group to be able to use the web interface for something but not the API or vice versa.
     

Share This Page