I have a general question: when I create an API key, is there a way to restict the rights for that key, so that only certain requests are allowed?
I would like to allow an external company to send new contact data to our mautic. I thought they could do that by using the Create Contact API call. But once I hand out an API key, the owner would be able to do all kinds of API calls, right? This would be problematic eg. for privacy and security reasons. Or can I somehow restrict which calls are allowed?
A workaround would be to restrict calls on the webserver level and just allow call to createContact from specific IP. and deny all other requests to an api.
Of course this is not ideal solution, but maybe it can cover your case.
For basic auth you could add that API user to a certain group with restricted rights. So I guess this user will be limited to this allowed scenarios no matter whether using the GUI or the API access.
I would expect that - but its yet to be confirmed.
any information about the possibility to set access right to external platform to limit them on which action they could perform (which feature they could use, level of access right [ie: Read a/o Write], …) ?