Let me get an API access token right from the MURAL web GUI

spackows
spackows ✭✭✭
in Feature Ideas

The new MURAL API (Beta) is awesome! And I have been encouraging my teammates to try it out.

To make it easier for them to get started, I set up a web app where my teammates can log in through SSO and then get a MURAL API access token to use.

Pain point

If someone is building an integration app, OAuth 2.0 is the way to go.

However, for someone just getting started on their own, for someone who wants to run a few scripts to process the contents of a mural or two, setting something up to go through OAuth 2.0 just to get an access token is a pretty long walk.

Request

Add something to the MURAL web interface so that a mural creator can get an API access token for that mural right from the MURAL GUI.

Thoughts and implementation ideas:

  • You know they have authenticated, because they are in the MURAL GUI. 
  • Only the mural creator would be authorized to get a token this way.
  • You could set the token to be valid for only that mural. 
  • Scopes could be selected from a drop-down list.
  • Once the mural creator copies the token, there is no way to view it again (you'd just have to get a new one.)
  • The token would expire - in 15 minutes(?) - like the tokens from OAuth 2.0.
  • You could make tokens obtained this way un-refreshable.

From a security perspective:

  • Making the token available to only the creator of that mural, making it valid for only that mural, and making it un-refreshable would be *more* secure than the current OAuth 2.0 process.

From a business perspective:

  • This would really make it easier for people to get value from the new API faster.

Is the MURAL team already planning something like this?

To other API users: What do you think? Would you use this feature?

Tagged:
1
Up
1 votes

Open for voting · Last Updated

Would you like to see this? 👀 Up vote the idea, and share your use cases below to help us understand how you would use this idea. 💡

Comments

  • Meghan
    Meghan ✭✭✭

    Hi @spackows! I'm working on this one to confirm if it is an option. If not, stay tuned and continue to garner votes and feedback on this potential feature request!

  • spackows
    spackows ✭✭✭
    edited July 2022

    Here's an example from the video-conference software, webex:

    1. Go to their documentation: https://developer.webex.com/docs/getting-started
    2. Log in (this takes you through your [enterprise] account SSO)
    3. When you view the reference information for a specific function, you get a time-limited token right there. You can make test calls right from that docs page, or you can copy that token into a script to run from your computer or whatever.

    https://developer.webex.com/docs/api/v1/meetings/list-meetings

    webex.png

    This is quite a handy way to try out the API - without having to deploy an app for OAuth 2.0.

  • spackows
    spackows ✭✭✭

    Just following up about this..

    During the past year since posting this item, I have done so many workshops inside my company and externally as well as sharing samples in blogs, and every time I get the same feedback: Requiring people to go through OAuth2 (even using Postman) just to kick the tires on the API is too much friction, so people just don't bother.

    If people could grab a token from the MURAL interface, then it's secure because they're logged in. And even if the token expires after a few minutes, that would be enough for them to get started learning the API, and it would be enough for people to take advantage of the API for ad-hoc scripting.

Categories