Mechanisms for API Permissions Control

Can you control permissions when using the old application API key?

Does the new OAuth2 authentication system use the permissions of the authenticated user (i.e. who accepted the OAuth2 flow)?

Knowing whether the API key allows the behaviour is important even if the new OAuth2 system provides this level of control.

Hi @Dylan_Lester, the Legacy API key is not associated to any user and essentially gives full administrative access to integrating applications.

The OAuth2 flow ties the access token to the user that provided authorization so whatever permission level that user has will be what the access token will have permission to do. This is largely controlled by the permission settings under Admin > Users > Edit Permissions.

Hi @Nicholas_Trecina, thank you for the excellent reply. That answers my questions.

You’re welcome!