<p>Can you explain the "big picture" of this, or if it has already been explained elsewhere, link to it?</p>
<p>If we implement access restrictions to certain parts of the web interface as detailed in <a href="https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services" rel="nofollow">https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services</a>, is this API key scheme expected to let people access the various endpoints listed there? If yes, how would you suggest that the API key is transported from the client to the server, and how would it be checked?</p>
<p>If an API key gives you special powers (namely to access data governed by an agreement that you as a logged-in user have "signed", to safeguard GDPR limits), then should there perhaps be an "explainer" when you create an API key, that basically says be careful with this, by generating this you take responsibility for all access made with that key, etc.etc.?</p>
<p>Would it make sense for API keys to expire if not renewed regularly?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-463930621">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLf0PW0jlIedwbqoqBYnPDISRFyg7ks5vNltUgaJpZM4a8_uM">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLUzDgVsja1SS9I8_8KLKB7whU9y9ks5vNltUgaJpZM4a8_uM.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@woodpeck in #2145: Can you explain the \"big picture\" of this, or if it has already been explained elsewhere, link to it? \r\n\r\nIf we implement access restrictions to certain parts of the web interface as detailed in https://wiki.openstreetmap.org/wiki/GDPR/Affected_Services, is this API key scheme expected to let people access the various endpoints listed there? If yes, how would you suggest that the API key is transported from the client to the server, and how would it be checked?\r\n\r\nIf an API key gives you special powers (namely to access data governed by an agreement that you as a logged-in user have \"signed\", to safeguard GDPR limits), then should there perhaps be an \"explainer\" when you create an API key, that basically says be careful with this, by generating this you take responsibility for all access made with that key, etc.etc.?\r\n\r\nWould it make sense for API keys to expire if not renewed regularly?"}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-463930621"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-463930621",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/2145#issuecomment-463930621",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>