1

I am collaborating with another person on Podio to integrate various external applications with an information management system we have created on Podio.

I need to clarify my understanding regarding the generation of API Keys. Specifically, API Keys are generated from a User's Account Settings. If I generate the API Keys for an integration and I am later removed from that Workspace, does this terminate the connection with the App in Podio?

I know, simple question and the obvious answer is yes, it would terminate the connection, but I would like to know if anyone has direct experience with this and can confirm my assumption.

Pavlo - Podio
  • 2,003
  • 2
  • 10
  • 19
Darin Short
  • 21
  • 4

1 Answers1

1

There are couple of ways to use the Podio API Keys. The Client-ID and Client-Secret alone do not give you access to apps or workspaces. The Client-ID and Client-Secret are merely identifying you as a 'Developer', who has been granted the privilege to use Podio API. Again, this data alone does not grant your user access ANY workspace nor app.

Let's review how Podio API authentication works in more details:
Main documentation page: https://developers.podio.com/authentication

Example in Ruby: 

Podio.setup(
  :api_key    => 'USER_0_CLIENT_ID',
  :api_secret => 'USER_0_CLIENT_SECRET'
)
begin
  Podio.client.authenticate_with_credentials('USER_1', 'PASSWD')
  # got access to ALL info that USER_1 can access, but not USER_0

  Podio.client.authenticate_with_credentials('USER_2', 'PASSWD')
  # got access to ALL info that USER_2 can access (but won't be able to access any info from USER_1 nor USER_0)

  Podio.client.authenticate_with_app('APP_1_ID', 'APP_1_TOKEN')
  # get access to APP_1 items (and nothing else), and it doesn't matter if USER_0 has access to APP_1 or not (nor USER_1, nor USER_2)

  Podio.client.authenticate_with_app('APP_2_ID', 'APP_2_TOKEN')
  # get access to APP_2 items (and nothing else), and it doesn't matter if USER_0 has access to APP_2 or not

rescue Podio::PodioError => ex
  # Something went wrong
end

Therefore, you need a valid Client-ID/Client-Secret in addition to valid authentication credentials to actually gain access to any information inside Podio. The authentication credentials could be in the form of another's user login/password, an app_id/app_token, or an access_token that is generated by Podio when user logged in via the server-side flow or client-side flow.

Jason Clark
  • 3
  • 1
Pavlo - Podio
  • 2,003
  • 2
  • 10
  • 19
  • Thank you for the response. #2 is applicable to what I am referring to, but if the Client ID and Client Secret Key are part of an API connection from a user that no longer has access to a workspace, how can they continue to have access? – Darin Short Sep 28 '16 at 10:36
  • I've re-structured answer to make it clear that Client ID and Client Secret doesn't give any access, but only full combination of ClientID/Secret with username/password or app_id/token or access_token can give access to Podio apps and items. – Pavlo - Podio Sep 28 '16 at 17:39