I’m working with a team that would like to use the API for exporting forecast parameters but not allow writes back to ComboCurve.
The team wants to avoid a situation where somebody could mistakenly call an endpoint and modify forecasts, so they’d like to restrict it on the ComboCurve side (instead of in the application/script that uses the API key).
Is there a way to provide read-only API keys? I assume this isn’t possible yet but even a simple version of this that restricts API keys to head and get endpoints would be really useful for this use case.
If read-only API keys aren’t an option, is there another way to accomplish this? I considered multiple environments and sharing projects across the environments, but this could be difficult to manage over time.
We don’t currently support read-only API keys or method-based restrictions (e.g., GET/HEAD only), and this isn’t on our roadmap at the moment.
If your team wants to avoid accidental writes, the best workaround for now is limiting access in your integration layer by exposing only read operations.
Thanks @Danny_Cooney. We do limit access to reads in the integration layer but the team’s IT would like a stronger guarantee from the ComboCurve side. e.g. you could imagine somebody trying to download forecast parameters from a reserves project and wanting to be absolutely sure they don’t accidentally write somewhere along the way.
We’ll look into other options for now. It would be great if ComboCurve could support read-only API keys or some kind of read-only service account with usage restrictions.