Limit access?

[peteruithoven]

Doesn't using a user's API token mean you get access/rights to everything the user has?

I'm used to apps being able to describe what they need specifically (scopes) and then through oAuth asking the user for permission. But maybe this isn't easily possible with Clickup? I noticed when I looked at the Clickup API integration there are also no questions about access (scopes).

[gwleuverink]

Hi @peteruithoven,

As I understand from the documentation, using oauth2 you are able to limit API access to a specific workspace. But that's about all info I can find in the docs. Using the personal token you get access to all workspaces connected to the account the token belongs to.

I'm not sure about the benefits of adding a auth2 client right now, though I might be convinced. What are your thoughts?

[peteruithoven]

Colleagues are super interested in using your tool, but with how the token works the tool gets a lot of access which introduces a risk. While it only needs some edit rights for time entries and some read access for tasks (as far as I could tell from the code).

As I understand from the documentation, using oauth2 you are able to limit API access to a specific workspace. But that's about all info I can find in the docs. Using the personal token you get access to all workspaces connected to the account the token belongs to.

Yeah, so it seems like you're hands are tied in regards to limiting access?
I might need to create a feature request at https://clickup.canny.io/, not seeing relevant ones so far.
Update: I created: https://clickup.canny.io/feature-requests/p/limit-access

[gwleuverink]

Update: I created: https://clickup.canny.io/feature-requests/p/limit-access

Cool! Let's see what they say

Yeah I understand your concern of course. It doesn't seem like using oauth2 adds more granularity in api scopes besides workspace access. That's why I'm unsure if it will address the concerns you have.

If there is a clear benefit though I'm definetly open to adding it in the future, or accepting a PR that adds this.

A few things to consider, to ease your mind regarding the access token :)

• You can revoke your access token at any time if it becomes compromised
• Doesn't look like it grants more access than oauth2 (except beforementioned workspace restriction)
• The mac build is signed and notarized from v1.0.0 onwards, so if the build you are running is flagged for whatever reason Gatekeeper will automatically inform you before opening the app
• You can always check the code. All calls to clickup are made from this file

These are the API calls made to clickup:

• GET: time_entries (fetching a range of entries to populate the calendar)
• POST: time_entries (creating a new entry)
• PUT: time_entries (updating entry)
• DELETE: time_entries (delete entry)
• GET: task (all clickup tasks are pulled from the server)