Limit API Client Access
You may wish to restrict the functionality of some of the API calls. For example, you may want to allow certain vendors, or internal groups, access to your website to modify their information. You can do this on a per API Client basis.
- Go to your dashboard, and open the target property by clicking on the Capture icon.
- Make sure you’re in your Dev app, then go to the API Clients tab.
- Create a new client for your vendor to use, and give them the “direct access” permissions.
- Now you have a client ID and client secret which you can give out to vendors which does not have the full permissions. Do not transmit this information over email, IM, Social Networks, or other unsecured channels.
- If you want to restrict which fields they can see (scoped access), you can do so with the setAccessSchema API call: see this page – entityType.setAccessSchema, and the discussion on API Clients Page.
You can set several different permissions, such as direct_access and access_issuer, through the Janrain Dashboard. See the discussion of these permissions in the API Clients Page section.
- You need to use your main (account owner) client ID and secret for the entityType.setAccessSchema API call.
- The default type, and the only one currently available in your developer account, is user.
- Set access_type to read, to set the read permissions, or write to set the write permissions.
- Important: Pass in the list of attributes to which you’d like them to have access. For example, if you only want them to read email, name, and birthday, you might pass in something like this: [email, displayName, birthday] (see the Schema tab in your dashboard for these attribute names).
- You must make this API call once each for read and write permissions, because by default, each client ID comes with full read and write privileges. In other words, if you only make the API call to set read permissions, then you will leave that client ID with full write permissions.