Skip to main content

We use Allbound to work with our partners.  The partner team would like to integrate our certification and course completion data with that platform.

Allbound wants us to give them access to our API’s to implement that.  I have some concerns about giving API access to an external party.  Are their privacy or security risks I should consider? Are there maintenance considerations?

What’s the risk of an endpoint they are using being deprecated and a reconfiguration being needed.  Anything else I should be thinking about?

I am a neophyte when it comes to APIs.  I have set up a postman account and have set up a few internally but that’s about it.

Thanks for any thoughts you have that can inform my decision on approach.

 

Hi @jmkachidurian you have a lot going on there, and I am interested to see what others have to say.

I have done a bit of python development accessing the API and it is essentially root access. I am curious how YOU can control what APIs calls they access and thus privacy.

Yes, there are risks. The API is documented. There are destructive commands. We do not have private info in our system but if you have private info in the user’s profile there would be a risk.

In some cases, training history could be considered private info, depending on your location. You should make sure and update your terms / conditions and privacy info to let your users know what they are signing up for.

Regarding deprecation you need to document the endpoints being used and keep an eye on the monthly release notes to see if any of them are impacted.

Since you have setup postman, you can see once you have that token you can run any endpoint that you can find documented.

Thanks, @dwilburn.  These are exactly my concerns.  Training history is considered private information in many of the countries we work with.  If I cannot control which users information they have access to and which endpoints they can access, It’s probably not a risk we will want to take.  

My impression of API’s is that they are a great tool for internal use to access or manipulate data internally but that the control issue is one that limits it to internal use for risk and privacy reasons.

I was wondering if anyone had found a way to limit the access for a specific token.

I would think that the limit would be in the application that they are using. They should secure the keys to the same level as you would secure root access to any system. Then they would only have access to specific endpoints.

But I do not know how this is implemented.

Reply


Terms & ConditionsCookie settings