Hello everyone!
TLDR:
I spent some time looking into all of our APIs across all versions and I’ve updated the documentation from the work I have done thus far. You can see the api spec diff here
The results running the same script Mark Cheek provided:
Total endpoints checked: 3144
Endpoints using only userAuth: 1602
Which is closer to 50%, this is still not what I would expect. I am continuing to work with individual engineering teams to determine whether or not their APIs should work with client credentials.
My method:
I took a look individually at the backend code of each endpoint to see what underlying security (right) is needed. Then I use a tool I made to determine what scope, the part that is documented and assignable via token, that right falls under.
We had some APIs documented with the right to call the endpoint and not the scope. This would be confusing as when you went to go create the token with scopes the right name documented wouldn’t be there. I’ve cleaned up nearly all of these and we are putting checks in place to make sure that only scopes are documented by our engineers writing the specs.
Finally we have the main question, what can be called via client credentials (applicationAuth). I was able to take the right and map that to the idn:api user level associated with client credentials to loop through and see what APIs are callable.
As I mentioned, I still have more work to do on this. I wanted to update the community with what I had found thus far.
Stay tuned!