I'm looking at how authentication an access work with CC, and unless I'm missing something, there there is not a way to repudiate API key usage.
Using OAuth is fine - it requires that the application authenticate itself by providing a secret in addition to the API key. However, there is no way to prevent unauthenticated use of our API key. In other words, it appears that there is no way to prevent other actors from using the CC API while claiming to be an arbitrary application.
Any usage requires the cooperation of a CC account holder, of course. Let's say my API key is XXXX.
The user is directed to CC, authenticated, and gives permission to API key XXXX to access their account. In order for XXXX to get an access token, the API key must be supplied to CC along with a secret known only the owner of API key XXXX. Thus authenticating and establishing the identity of the application identified by XXXX. Permission is then granted by means of an access token to act on behalf of a particular CC user.
Using that access token, anyone can now act on behalf of the user, using my XXXX access key, without being authenticated as the owner of that API key.
I don't want it to be possible for anyone else to impersonate my application. Any API calls will count against my concurrent and/or daily transaction limit. Additionally, any nefarious use of that user's account is done in association with my key.
The worst part is that even if *I* always use OAuth, which is fine, it doesn't prevent anyone from obtaining a key using method #2. I can't configure my API access in such a way that *requires* all uses of my API key to be authenticated. I want to be able to repudiate non-authorized uses of my API key.
Am I totally missing something? I assume I that I am, because that doesn't seem too cool.
Your question is interesting and we would like to look in to this more. Due to the nature of any involved details would you be willing to email us at firstname.lastname@example.org so we can go over this with you in more detail?