Security Risk: Single API token for all users
Adam Pavlacka
This is an issue that isn't made clear in the documentation, but Helpjuice does not provide per-user API keys. It only provides a single API key.
This is a security issue that violates the best practice of least privilege.
1) API is always at admin level (so you can't assign a service account that is view only and limit API usage that way).
2) If you have multiple integrations, you should have a single API key for each one. This way if something goes wrong, or you need to terminate access, it can easily be done by removing the corresponding user.
Atlassian's use of API keys is a good example of how it should be done.
Steve Tapley
Agreed, this is an issue for us too, where we want to issue low-value read-only keys!
Om Goeckermann
This is increasingly important. Especially for users from larger organizations who are being much more strict about 3rd party providers