You can now restrict what API keys can access and do.

Background

Cameo’s API keys allow third-party software to communicate with Cameo program-to-program. You add and remove them in the API Keys section in the Profile menu.

API endpoint means the particular operation requested in the API. For example, in the URL your third-party program accesses is
https://cameo.example.com/api/discounts.json
then discounts is the endpoint.

Only administrators can access the API Keys section.

Endpoint restrictions

API keys now include a list of the API endpoints to restrict which ones each key can access. This means the risk is contained if a key gets disclosed. When you add a key, you should select only the API endpoints you actually need to do the job (Fig 1: 1).

As any existing key could access anything (except Export Statements, which was a special case), existing keys currently allow broad access. If you know the endpoints for these the keys, it would be sensible to for you to restrict these.

Fig 1: (1) select the endpoints the key is allowed to access; (2) the list of keys now also shows when it was first created, and (3) can also have its password reset without deleting and re-creating it.