You can now restrict what API keys can access and do.

Background

Cameo’s API keys allow third-party software to communicate with Cameo program-to-program. You add and remove them in the Admin → API Keys.

API endpoint means the particular operation requested in the API. For example, in the URL your third-party program accesses is
https://cameo.example.com/api/discounts.json
then discounts is the endpoint.

Only administrators can access the API Keys section.

Endpoint restrictions

API keys now include a list of the API endpoints to restrict which ones each key can access. This means the risk is contained if a key gets disclosed. When you add a key, you should select only the API endpoints you actually need to do the job (Fig 1: 1).

As any existing key could access anything (except Export Statements, which was a special case), existing keys currently allow broad access. If you know the endpoints for these the keys, it would be sensible to for you to restrict these.

Fig 1: (1) select the endpoints the key is allowed to access; (2) the list of keys now also shows when it was first created, and (3) can also have its password reset without deleting and re-creating it.