We are a third party provider. Our customers use the wireless Wi-Fi device we provide to collect Email Signup's at their place of business.
We use the CC API to add the new contacts directly into our customer's account. There are no issues with any of the integration.
However, we being a 3rd party provider, should not be asking our customer's for their CC account/password to be able to use the API Integration. This causes a serious security issue, both for us and our customers (particularly big ones). Why can't we have a separate password for API access? With this password, you cannot login to the CC account using Web, but only be used with API. Also, have the ability to assign a distinct password for each "Developer API Key". This will not only enhance security from CC customer perspective, but also gives them total control of when to shutdown a particular external provider application. This will also get us (as 3rd party app provider) out of the bind if customer account ever gets compromised, as the passwords are different and culprit source can be clearly identified.
I'll forward your feedback on to our Product Management team. We have had previous feedback for multiple logins or mutliple access levels on an account and I believe that may be a better solution. We are unlikely to be able to allow a single customer to turn off an API Key as many of our developers have their API Keys and integrations used by 10s or 100s of accounts.
Thanks for the reply. As long as you have a mechanism in place where the customer doesn't have to share their web account password, it will resolve the immediate security concerns. It also solves related issue of customer's changing their passwords without knowing there are 3rd party applications using it. If the passwords are different, there are minimal chances of running into this issue.
Appreciate you looking into this.