🌟 API Keys for integrations with 3rd party applications / automation processes

[grablair]

Is your feature request related to a problem? Please describe.
I would like to make API calls to Hi.Events using revokable, granularly permitted API keys, so I can automate certain repetitive tasks, as well as pull customer data into other internal tools.

Describe the solution you'd like
I would like the ability to create API keys, similar to how users are created, on a per-organization level. These API keys can then be supplied in the HTTP headers for authN/authZ for direct API access. They should be revokable on-demand, and optimally should be able to have simple permission types (read, read/write) or have more granular permissions (per-API or per-API-class).

[daveearley]

Thanks for the suggestion! I've already looked into this while investigating updates to the authentication flows. Laravel Sanctum seems like a strong candidate for handling most of the heavy lifting.

The current RBAC implementation is quite basic, so I'm planning to refactor it. This update would include switching to Laravel Sanctum and enabling the creation of multiple API keys per user.

[grablair]

That sounds great! Any idea when you were planning on getting to the auth refactor? (not asking to be pushy; just asking to determine where it is on your priority list, and if I should potentially pick it up)

[daveearley]

It’s coming soon-ish, as it’s a frequently requested feature so I want to prioritise it. I wouldn’t recommend taking on the entire refactor, but if you’d like to take a stab at incorporating Sanctum for API token issuing, it would be more than welcome!

I could then use that as a foundation for the RBAC changes.

I'm currently about 75% complete on the invoicing and offline payment features, which will complete v1. I hope to introduce auth updates in v1.1 or 1.2.

Cheers!

Side note: If you're adding features, please use the v1 branch, or else the conflicts will be tough to resolve.