Improve API authentication #5163
Description
Is your feature request related to a problem? Please describe.
Our current authentication system relies on a CSRF token that is generated when logging in. It is rather cumbersome compared to an approach with an API key and has resulted in many users facing difficulty when trying to make requests via the API.
Describe the solution you'd like
We should add support for an API key/token (or similar approach) that can be generated within the security & accounts system and reused.
Describe alternatives you've considered
You can generate an access token and use it in subsequent requests, but this is more fragile than using an API key.
Reported By
Corinna P at CSIRO on Asana:
Over the past couple of months, a number of side projects required connectivity to our Specify instances utilising the API. Various software approaches have been used and in every instance, people struggled with the authentication part.
We would like to request a more streamlined approach to API authentication, for example, via an API key/token that can be generated within the Accounts system.
Also by Matthew C at UMich:
I am looking to avoid scenarios where other apps are expecting the endpoints we provide them to be public.
It might be useful to have a discussion on the capabilities / limitations of the S7 API in the next few months to help direct the API's development down the road