cool-daniel suggested an idea · Jan 27, 2018 at 02:41 AM · apisAccount Management
It would be usefull if you could set permissions for each secret key to limit its usage on specific categories like Player Data Management or Account management within the admin or server api while denying access to other categories of the api. This would enable admins to give out secret keys without exposing all functionality (like for example only letting a secret key call the GetPlayerProfile while not working for BanUsers)
Agreed! :)
One addition to this: It would also be useful, to be able to limit it to executing certain cloudscript handlers
david-marcelis commented · Feb 19, 2018 at 02:40 PM
Want to upvote this issue. The idea of having the Server Key have access to the Admin API is scary. This means if a server or matchmaker was compromised, it gives permissions to change builds or worse.
Just a separation between Server Key, Matchmaker Key, and Admin Key would already greatly reduce the potential impact.
We would love to know what you need. Submit your ideas and upvote others to help us prioritize.