I've implemented a domain access token authentication strategy and made a account and domain public key reading APIs public for compatibility with current domain server implementation. Might need to revisit this in the future as there are some things that I'm not sure about:
The domain access token has a expiration date, which is currently unused, since It's unclear what should happen then.
Using the access token gives access to specific APIs as the user that generated the token, with all relevant permissions. Might need to reconsider the APIs exposed this way and/or revoke some permissions.
The account public key API also returns the account username and id, which I'm not sure is ok to be public.
I've implemented a domain access token authentication strategy and made a account and domain public key reading APIs public for compatibility with current domain server implementation. Might need to revisit this in the future as there are some things that I'm not sure about: