Add support for Groups OpenCloud under group API keys

As it stands, right now, you must use an API key under your account in order to use the groups OpenCloud API.

Not only is there insufficient documentation on this, it is also a huge security risk.

A big part of using OpenCloud keys is the fact that security is extremely important for such sensitive actions that can be accessed through an endpoint.
The current work around for this is to create an account with the sole purpose of using an API key for ranking players. This is non sensical considering there already is support for groups using API keys for other APIs such as datastores, for example.

Please consider…
in the meanwhile I’ll be using an alternative account, prone to all the risks associated with using an account instead of an API key, for the purpose of ranking people in groups.

The response when using the endpoint under a group API key

{ "code": "UNAUTHENTICATED", "message": "Unsupported authorization method." }

1 Like

@Hooksmith Piggy-backing off of your response in this thread, this feature request describes the “issue” I was referring to.

You can’t use group API keys with the new ranking API. Only user ones. I’m assuming this is because if it did support group API keys, there’d be no user to log the rank change on behalf of in audit logs and such. This is such a detriment to our workflows and a huge user safety concern aforementioned.

Edit: Oh, you’re here.

Thanks for bringing this up, we’re aware of some limitations around group API keys, will raise it with the team. Please use API keys owned by users for now.

Also worth nothing that the description of the relevant permissions hasn’t yet been updated to include a section about changing user ranks:

If I need to file a bug report here, let me know. Hoping you can pass it on without this happening though

It’s not going to be a goal of ours to immediately update all of these references overnight. You can expect various non-user-facing part of the product like this to still refer to it as “groups” at times, this is expected behavior. Especially for the scopes here, those are used in API key and OAuth logic by third parties, so if we were to change those scope strings suddenly, scripts written by the community might break.

It’s not going to be constructive to report that as a bug, we’re aware of it, thanks.

I think I miscommunicated my concern. I’m referring to the descriptions of the permissions, ex. changing this:

“This allows you to manage community join requests for your account”

to this:

“This allows you to manage community join requests and update user roles from your account”

The non-inclusion of this additional permission in the scope description is a safety concern, considering users might not know they’re giving 3rd party applications them when creating an API key.

Fully aware that the scope titles and other APIs that include “groups” in their core won’t be updated for some time, if ever, as obviously this would be a majorly breaking change

1 Like