WHMCS doesn't support multiple access keys so you are forced to use a single access key for everyone (clients, apps, resellers, partners) which means that you can't allow them to use API functions at all because they'll have access to the entire system. This happens because WHMCS gives full administrative permissions to everyone which is using the API. So what's the point of the API system if you are forced to only use it for "root" stuff?
Let's say that i made an app to allow my customers to manage their domains. The enormous problem is that WHMCS API system always run with full administrative permissions then a client could send API requests even for services and domains of other clients. Potentially he could unlock domains, get EPP codes and transfer them, download all invoices, see our balance, clients, servers, read, answer and close tickets, add and remove payments, create, suspend, unsuspend and terminate hosting, renew domains etc.
With a big amount of time spent on coding, i managed to skip this issue on top before the API functions gets executed but it would relatively simple to include this function in WHMCS.
1) We simply need to apply filters and block certain commands, based on the specific access keys, before WHMCS execute them and sends XML/JSON responses. This can be done allowing multiple access keys. Then with a relative small amount of code we can apply "filters" to limit "root" permissions.
2) Later WHMCS Staff could also consider to create an API management page inside the back-end. This page would be used to enable/disable certain commands for each individual access key. For example you can enable only "openticket" action for an app which is used just to send tickets and "getinvoice, getinvoices, getclientsdetails" for your accountant or external billing software.
Fine tuning for external API permissions / Admin
Maybe itÂ´s the wrong time to ask for it since the long awaited 6.0 is coming... but anyway.At this time, for external API access, you need to setup an admin account and give it only one permission: API access Therefore, this new account has access to all and everything when using remote API calls.I canÂ´t imagine an application (except full management app) that needÂ´s this broad range of permission.There should be a fine tuning for API permissions, so that an external application that (for example) only uses login validation does not need to get ALL permission. I currently write a bridge for an external application and validatelogin was the only thing I really need. ItÂ´s feels really strange to save access details for the API adminaccount online and leaving the door open so wide.
Thanks for your suggestion and votes.
I'm pleased to advise that in version 7.2 we added API Authentication Credentials and API Roles which allow for fine-grained control over precisely which API commands can be run by a particular credential pair.
There is also a UI in the admin area under Setup > Staff Management > API Credentials for management of credentials and API permissions.