Hello OwnerRez Team,
I am requesting a new feature that would allow users to limit an OAuth application's access to be strictly read-only.
Current Problem
I am developing an application to pull daily updates on my vacation rentals. Per confirmation from Partner Help, currently, both personal access tokens and OAuth applications are granted full write access to the API.
For security and best practice, applications that only need to retrieve data, like my daily snapshot bot, should not be granted full write permissions. This unnecessarily expands the risk profile for the user's data should the application ever be compromised.
Requested Feature
Please add an option to scope a new OAuth application or Personal Access Token to "read-only" access. This would ensure that API calls using that specific token or app cannot perform any create, update, or delete actions, providing a more secure way to use the API for informational and reporting purposes.
This feature would significantly improve the security and utility of your API for developers building read-only integrations.
Thank you,
Jimmy
Hey Jimmy,
I see what you’re getting at from a security standpoint.
Right now, our API doesn’t support scoped permissions like read-only vs. write. OAuth applications and personal access tokens are granted full access, and it’s up to the application itself to determine what actions it performs. So if your app is only making GET calls, it will effectively behave as read-only.
Since OAuth is already handling authentication securely, and the application controls which endpoints it calls, this isn’t something we currently have plans to change. Adding permission scoping at the token level would be a fairly large architectural shift.
That said, I appreciate you sharing the use case. It’s helpful context as we continue to evaluate API improvements over time.
-Steve
