|
Author |
Thread Statistics | Show CCP posts - 21 post(s) |
|
CCP Zymurgist
Gallente C C P
|
Posted - 2011.05.26 15:45:00 -
[1]
In CCP Stillman's latest dev blog he welcomes back CCP Elerhino and talks about the new customizable API key. Read more about it and how to start testing these new API keys here.
Zymurgist Community Representative CCP NA, EVE Online Contact Us |
|
|
CCP Prism X
Gallente C C P C C P Alliance
|
Posted - 2011.05.26 16:13:00 -
[2]
I'm content with the number of times I was mentioned in this blog.
The combination to the safe with your antidote is 6-13-31-27.
~ CCP Prism X EVE Database Developer and Acting API Dude |
|
|
CCP Stillman
|
Posted - 2011.05.26 16:28:00 -
[3]
Originally by: Sarmatiko The first thing that comes to mind - can you add simple vCode generator button to the API creation page?
Brilliant ideas like this is why putting things on Singularity before we release it is such a great thing.
But yes, I've suggested this to Elerhino. I'm optimistic we can do that
|
|
|
CCP Prism X
Gallente C C P C C P Alliance
|
Posted - 2011.05.26 16:36:00 -
[4]
HTTPS is currently not working on the test server.
~ CCP Prism X EVE Database Developer If anything in this post was informative or could be considered as 'good news' to you - chances are you've misread it. |
|
|
CCP Stillman
|
Posted - 2011.05.26 19:29:00 -
[5]
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:32:00 -
[6]
Originally by: Everseeker Is it safe to assume that, If I create a request string for a user, asking for specific information, that the user will see an "english-readable" warning, telling them specificly what the Recruiter/whoever will be receiving if you comply (perhaps with a check-box based format, to allow partial compliance with the request....)
The way the dev blog mentions you can create a "predefined" key basically just fills out the things specified in the URL. The user will be able to see all the checkboxes before he submits it, and he will need to provide a bit of extra information.
We could add an extra warning if people are creating a pre-defined key, if people think this is a good idea
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:33:00 -
[7]
Originally by: SencneS It doesn't say it anywhere but if we create a non-expiring key can we delete the key? I haven't created one yet because I am uncertain I will be able to delete it.
You can edit and delete an API key at any time you like!
Originally by: SencneS
I also assume the old API keys will continue to work as expected?
Yes.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:35:00 -
[8]
Originally by: Two step Only CEOs can create corporation keys? Why not directors as well?
We hear you, and all others who have commented on only CEOs being able to create corp keys. We'll investigate lowering that requirement to Director.
Originally by: Two step
What happens to a corporation key if the CEO leaves corp? Is it still valid?
No, that will invalidate it.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:41:00 -
[9]
Originally by: mkint
1) I like how customizable it is, but the added complexity means it's gonna be a pain in the ass for rookies to set it up for evemon/eft. A link like the 'all' 'none' links for 'basic' 'full' would be pretty awesome (especially if it automatically filled in the 'name' field as well.)
We still want to investigate implementing pre-defined templates from our end. We've provided application developers with a way of sending an user to the API page with a predefined key. But we want to provide at least some of the most "common" things people want to do, as templates you can pick on the create key page.
Originally by: mkint
2) it would be pretty awesome to have a button next to the verification code field labeled 'generate' to automatically create a new key similar to the classic API page.
3) I'm still fuzzy on how any programs will associate any particular API key with any particular account. I assume it still uses a user ID? That is no longer shown on the page. If it's not still associated to a user ID, then I'm fuzzy on what happens if there ends up being keys with duplicate names/verification codes (unless neither of those are supposed to be meaningful to the user, which I'd have to say right now would be extremely bad.)
also bonus points for not having the new API key being attached to spacebook. Holy jeebus, thank you for not having it be attached to spacebook. That gawdawful piece of crap website needs to be rebuilt from the ground up before I trust it to do anything important, and it still upsets me that it's linked to my account at all.
edit: after re-reading the original blog, the keyID concept is a little more clear. It's kinda weird that you could have a 2 digit keyID, but whatever. I assume you just need the keyID and the verification code, and I still maintain that it would probably be a smart idea to have an auto generate button for that 20 character password that the nag box keeps popping up for.
Also, for usability, the first time I logged in, I was taken directly to a create page without any of the explanations you see on the management page. For usability it would probably be a good idea to already have a 'basic' and 'full' key automatically generated when first signing in and being taken to the management screen instead of the creation screen.
The UserID had to go in order to allow for partial access to an account, i.e only giving access to a single character, as the userID could otherwise give away who you really are. So the userID is implicit in the keyID, but only the API can find out what the userID is.
And as said earlier, we'll investigate a "Auto generate" button for the verification code for a strong verification code
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:42:00 -
[10]
Originally by: James Arget
One of my members also asked how the Corp keys are going to work in regards to granularity. Could we make keys that restrict access to only member applications, or only to POS information?
That's the idea, yes. Creating a corporation key works exactly like creation a character key. You can select and de-select every single page you want, giving you granularity down to the specific API page you want to expose on a key.
|
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:47:00 -
[11]
Originally by: Vessper Nice work on the API changes, looking forward to using it! Some quick questions at this point:
1. What is going to happen with the account related APIs, namely the Characters.xml.aspx and AccountStatus.xml.aspx?
They'll be possible to select and de-select as all other calls on both bound and un-bound character keys. So we're not special casing those.
Originally by: Vessper
2. Am I correct in assuming that CharacterInfo under Public Info is the same as what is available with the current Limited API and under Private Info is what is available with the Full API?
Spot on sir!
Originally by: Vessper
3. Are these changes something you are aiming to release in conjunction with Incarna 1.0 in June, or more likely scheduled for some later patch? Just trying to gauge if I need to start panicking
No, we will definitely not be releasing this with Incarna 1.0. It will be later than that.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:50:00 -
[12]
Originally by: Miss Teri More fine-tuned access: nice. But...
Why keep the key in two parts? (Before: userid+key, now: keyid+vcode)
In fact, why allow custom vcodes? That would only decrease security, as people will be bound to select bad (easy to remember, short) vcodes.
Why not make it a single, auto-generated string? Easy to copy and paste into programs (single copy/paste instead of two, like it is now).
In order to not be easy to bruteforce, we're keeping it to two variables needed to access any API key. As for custom vCodes, we'll implement an auto-generate button. But for those who wants a custom vcode, we will allow that.
It is possible to create an insecure vcode, yes. But we will respond to bruteforce attacks on the API servers. And it's just nice to have it be generated by the user, should they decide to.
If you create an "insecure" vCode, you also get a pop-up when you create it, informing you that you might want to consider a more secure vCode.
|
|
|
CCP Stillman
|
Posted - 2011.05.26 19:54:00 -
[13]
Originally by: Sable Blitzmann Edited by: Sable Blitzmann on 26/05/2011 19:32:08
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Can you please address the more pressing matters of corp API only accessible to CEOs? Directors need full access, and members need access to the APIs that they have roles for, just like it currently is.
The current way is nerfed to hell and back and will make managing APIs extremely difficult for those of us with CEO's away from game or otherwise not very interested in APIs.
Other than this major oversight, this seems to be a great improvement of the API system
I was just going down the list of all posts and trying to respond to them.
I've already discussed with Elerhino for allowing directors to create keys, and he seemed onboard with that. I'll discuss going all the way down to people with roles, to allow to create keys with a limited subset of access with Elerhino tomorrow. Till then, I don't want to promise anything, as I can imagine it's a fairly complex thing.
|
|
|
CCP Spitfire
C C P C C P Alliance
|
Posted - 2011.05.27 13:43:00 -
[14]
Originally by: Golden Gnu I can not access: https://supporttest.eveonline.com (http as well) It redirects me to https://supporttest.eveonline.com/Pages/KB/
Also, awesome change...
There should be a drop-down menu on the left ("My API Keys").
Spitfire Community Representative CCP Hf, EVE Online |
|
|
CCP Stillman
|
Posted - 2011.05.27 21:48:00 -
[15]
Originally by: TornSoul Christmas - Already? (well.. it's not deployed yet but.. )
Close enough, in my opinion
Originally by: TornSoul
3: I think (hope!) the following is the case, but please confirm : - "oldschool" userid/apikey calls to the API will still be possible? (aka I won't have to update all my existing code with new paramnames)
For now, yes.
|
|
|
CCP Stillman
|
Posted - 2011.05.27 21:49:00 -
[16]
Originally by: Avraham Avinu Edited by: Avraham Avinu on 27/05/2011 06:29:25 Edited by: Avraham Avinu on 27/05/2011 06:16:25
When I Update a vCode, I get an "Authentication failure" using the updated vCode, yet my old vCode still works. It only started to work a couple minutes later. I suspect a server-side cache issue. This will confuse people and lead to the dark side.
This is indeed due to caching. There will always be a small delay, I'm afraid.
|
|
|
CCP Stillman
|
Posted - 2011.05.27 21:51:00 -
[17]
Originally by: Marcel Devereux
Originally by: CCP Stillman
Originally by: Marcel Devereux Edited by: Marcel Devereux on 26/05/2011 16:30:49 Can we please get a link for each key on the key management page that has the key info embedded as arguments in the URL (i.e. http://api.eve-online.com/key/?keyID=42&vCode=VERYSECRET)? I would like to register as a handler for that link and the user can chose to open the link with my application. This would allow for easy key entry into applications.
Is what you're asking for a button that will say "Copy API Key to clipboard", which people can click and then paste into the requesting application?
Only if it can work across all browsers and does not require flash to do it (i.e bit.ly's copy url to clipboard requires flash). What reservations do you have about providing the link?
I have no reservations. It was just a thought, based on what the goal of doing so was. We'll of course investigate all options for doing this
|
|
|
CCP Stillman
|
Posted - 2011.05.27 21:56:00 -
[18]
Originally by: Taureau Edited by: Taureau on 27/05/2011 18:36:19 Apologies if I'm incorrect about this, but if I try this URL with various parameters it fails: http://apitest.eveonline.com/API/APIKeyInfo.xml.aspx?keyID=1&vCode=VERYVERYSECRET
Sorry about that. That was a typo in the blog. The actual directory the call is in, is /account/. Fixed that
|
|
|
CCP Stillman
|
Posted - 2011.05.27 21:57:00 -
[19]
Originally by: Golden Gnu I can not access: https://supporttest.eveonline.com (http as well) It redirects me to https://supporttest.eveonline.com/Pages/KB/
Also, awesome change...
Fixed. The fix I made yesterday disappeared last night during the outage. It now links directly to the API key page
|
|
|
CCP Stillman
|
Posted - 2011.05.27 21:58:00 -
[20]
Originally by: Hel O'Ween
Question 1): This might be obvious, but better have it spelled out in written than all of us assuming something which's not true: personal and corporation keys are completely separated in the new system?
Example: assuming I'm a CEO or director, my full API key granted me complete access to both personal and corp API data. With the new system I would need to create two keys (personal and corporation) to achieve the some thing? I assume that's the case, but I rather have that confirmed.
Yes. That's unfortunately a trade off that had to be made.
Originally by: Hel O'Ween
Question 2): Will there be a replacement for the AccountStatus API?
The AccountStatus API is still there and works like it always has. So there won't be a replacement
|
|
|
|
CCP Stillman
|
Posted - 2011.05.30 20:34:00 -
[21]
Originally by: Hel O'Ween
Originally by: CCP Stillman
Originally by: Hel O'Ween
Question 2): Will there be a replacement for the AccountStatus API?
The AccountStatus API is still there and works like it always has. So there won't be a replacement
Ah, cool. I didn't saw it listed on the API key test page so I wondered if it will be perhaps merged with some other API (char info ...)
You're right. It's not there. This will be fixed
|
|
|
|
|