I'd like to use all of the endpoints of the API to replace redundant backend processing on the main site and redesign it to be more asynchronous. But with all endpoints requiring an API key, that would require either
exposing an API key to the public
setting up an exception to requiring an API key, like checking for a (spoofable) muncieevents.com referer.
The Solution
[x] For all endpoints that correspond to stuff that anonymous users can do on the main site, stop requiring an API key
[ ] Add tests that assert that API keys are / are not required for each endpoint
[ ] Give all users their own API key and userToken
[ ] Use the logged-in user's API key for all access-restricted endpoints
[ ] Don't bother logging API requests made without API keys (regardless of endpoint)
The Problem
I'd like to use all of the endpoints of the API to replace redundant backend processing on the main site and redesign it to be more asynchronous. But with all endpoints requiring an API key, that would require either
The Solution
userToken