The REST API, in its current form, provides only one way of accessing it, namely through API tokens. The permission system for the API tokens is currently very basic and there is no easy way of implementing more specialised endpoints, such as purchase cancelling, and controlling which users may access those endpoints and how they can interact with them.
What we want is an additional type of API token, a card token, that is generated based on the FooCard that was used to login. Using card token would make it possible to for example implement purchase cancelling for purchases associated with the card. The regular API tokens could therefore be limited to read-only operations, whereas a card token would be required in order to do write operations, such as making a purchase or canceling one.
The REST API, in its current form, provides only one way of accessing it, namely through API tokens. The permission system for the API tokens is currently very basic and there is no easy way of implementing more specialised endpoints, such as purchase cancelling, and controlling which users may access those endpoints and how they can interact with them.
What we want is an additional type of API token, a card token, that is generated based on the FooCard that was used to login. Using card token would make it possible to for example implement purchase cancelling for purchases associated with the card. The regular API tokens could therefore be limited to read-only operations, whereas a card token would be required in order to do write operations, such as making a purchase or canceling one.