K
Kinde7mo ago
Martin

Restricting access to Kinde API

https://kinde.com/docs/user-management/user-permissions/ describes how I can create custom permissions for managing what the users of my application are allowed to do. https://kinde.com/docs/build/add-a-m2m-application-for-api-access/ describes how I can enable M2M access to the Kinde API. Is there any way to restrict which Kinde API methods are allowed to be called? I'd like to be able to restrict the access to ensure that if the Client Secret ever got leaked, it couldn't be used to delete all of my Users? Related, does Kinde support any kind of Backup/Restore functionality to help recover from any kind of accidental / malicious data deletion?
Kinde Docs
Manage user permissions - User management - Help center
Our developer tools provide everything you need to get started with Kinde.
Kinde Docs
Add a machine to machine application - Build on Kinde - Help center
Our developer tools provide everything you need to get started with Kinde.
3 Replies
onderay
onderay7mo ago
Thanks for the question @Martin one of the team will be able to answer shortly. @Martin Currently, Kinde does not support the ability to restrict which API methods can be called for a specific client. Once a client is authenticated, it has the ability to call any of the API methods that are part of the Kinde Management API. This is not the best situation and the team is working on making this more secure. Will have an answer to your other question shortly.
Martin
Martin7mo ago
This isn't high priority for me but is more of a nice to have. Can you give me an idea of where this fits into your roadmap?
onderay
onderay7mo ago
@Martin it will probably be a Jan or Feb 2024 roll out
Want results from more Discord servers?
Add your server
More Posts
Accessing appStatehttps://kinde.com/docs/developer-tools/react-sdk/#persisting-application-state gives an example for Rotating Client SecretHow and when can I rotate the client secret which I fetch as part of https://kinde.com/docs/build/adAccessing ID on the backendhttps://kinde.com/docs/developer-tools/protect-your-api/ describes setting the accessToken when makigetToken from useKindeBrowserClientWould it be possible for `getToken` from `useKindeBrowserClient` to asynchronously respond with tokeValidating JWT tokens for non-OAuth mechanismsKinde supports non-OAuth mechanisms such as https://kinde.com/docs/authentication-and-access/azure/ Remove an enterpise connectionHow can I remove an enterprise connection from the `/admin/cx/_:nav&m:settings::_:submenu&s:authentiEnforcing permissionshttps://kinde.com/docs/user-management/user-permissions/ talks about how to create permissions. How Matching Users to OrganisationsI'm working on an auth solution for my application. I'm expecting users from multiple different OrgaFeature flagsIs there really no ways to delete or rename Feature flags ??Customize Registration FieldsCan I customize the registration fields? I would like to remove the first name and last name, just p