Hi, great course, finally...

Hi, great course, finally caught up! I'm wondering why the keys for the Weather App work in the OAuth validation for the Jokes API Bundle, since the Weather App its not associated with the Jokes API, only with the Premium Weather API. How do I verify/enforce that an App only has access to a specific Product? Thanks,


Hey Kurt -- glad to see you

Michael Bissell's picture

Hey Kurt -- glad to see you in the course!

The issue is with the way the Weather Product is configured -- it's a little backwards from how you might expect.  If you create a product with NO resources, it is unrestricted.  When you add resources, you're creating restrictions on that product.

So the Premium Weather API product is really a completely unrestricted product -- it can consume any resources. To make it really the Weather API, you would have to add the Weather API Proxy resources to the Product.

Hope that makes sense.  I think I cover this in the video about products, but I know it's confusing. 


Hi Michael -- glad to see you

Kurt Kanaskie's picture

Hi Michael -- glad to see you teaching:)

That explains it thanks. Also identifies a "never do this in the real world". I think it would be a good addition to the content. I may not have caught it in the discussion.



"Never" is a strong word. If

Michael Bissell's picture
"Never" is a strong word. If you're using API keys just as a way to identify developers and apps then Products are irrelevant. But you need to have at least one product so creating an unrestricted product in that case is reasonable and easier to manage as you add new resources. But yes, it's at least important to understand the consequences.