API Security concerns

Just starting out using FreeAgent API, and I’m a little concerned about the security model, so I am hoping I’ve just missed something.

It appears that for my app that just wants to read invoices, I have no way of restricting access to just that part of the API. It appears that we can only control access based on user permissions which is incremental. Any reason why scopes aren’t being used?

Many thanks

Andy

Hi Andy,

My name is Katie, I’m one of the Support Engineers here at FreeAgent.

Yes you are correct, currently the access you get from the API is dependant on the permission level the authenticated user has, rather than a section by section access. The different areas of the app can be tightly interlinked with each other, which makes it hard to separate them out into different sections for access. For example, if you add payments to invoices, you would also need access to bank transactions and ledger entries. This is why the primary method of access is done on a user level rather than by section. However, we understand what you are asking for, and this is certainly something that we can look into and record this as a feature request with the relevant team.

Please let me know if you have any other queries about this!

Thanks,
Katie

Hi Katie

Thank you for taking the time to look into this. Adding support for scopes should be very simple, and allow us to deploy an application with confidence that if it is compromised it can only for example read invoices. Scopes would allow you to layer additional security as opposed to having to re-think the existing security model.