API Keys #3412
Description
Is your feature request related to a problem? Please describe.
Vendure doesn't have nor currently supports creation and use of API Keys as means of auth. This can be cumbersome for server side scripting where you'd like to one-off mutate something.
API Keys are generally nice for server side scripting. For example when I need to interact with any payment provider I dont have to login either, I provide the api key in the header and thats it. A simple curl request is enough to do something.
If I just want to do a one-off mutation I'd have to login, wait, parse and get the session token, do the request and logout again. If I want to do get rid off this round trip, I'd have to manage state and take care of storing and keeping my token up to date and what happens if my token gets invalidated in between multiple requests, now I have to care about refreshing and retrying failed requests. This makes the job quite a bit more complicated than it needs to be. A long lived API key easily gets around all of this and makes it simpler.
One usecase is doing stuff on the backend that is not directly tied to a user like importing, fetching or mutating custom entities that should be behind admin permissions but not really behind a specific user. It makes the distinction between users and scripts very clear for example for cronjobs that sync/create entities.
Imagine your storefront wants to update some custom entities behind the scenes to keep track of something but its not tied to the user who did the action. Right now you must have some user for that and log in, do the thing, log out.
There are some other benefits like not polluting the session table, per key ratelimiting and usage insights, revokation/rerolling and more.
Describe the solution you'd like
Long lived API Keys that I can scope to specific tasks that server side scripts use to do their work.
Describe alternatives you've considered
.
Additional context