feature/4695-updating-api-user-documentation

Kyle Turnerrequested to merge
xvia/trackvia/product/software/trackvia-developers:main into main

Removing a bullet from the "API Users" TrackVia Developers page that claims false information related to API Users and their access to web and mobile applications.

For further context and full clarification:

We acknowledge that our developer documentation previously indicated that API users could not access the web or mobile applications. This was inaccurate, and we are working on updating our documentation to more clearly reflect current system behavior.

After internal security review, we confirmed that API users and their tokens are always created and provisioned with TrackVia’s role-based access controls. This means their access is restricted to the permissions associated with the assigned role, ensuring the principle of least privilege is maintained regardless of whether access occurs via the API, web, or mobile clients.

To further strengthen our security posture, we have identified and prioritized a path forward to introduce a feature flag that will allow administrators to explicitly disallow API users from authenticating into the web and mobile applications. This enhancement is currently on our roadmap for an upcoming release.

In summary:

  • Documentation has been corrected to align expectations with system behavior.
  • RBAC ensures least-privilege access for all API users today.
  • Roadmap item identified: upcoming feature flag will enforce headless-only API accounts where required.

Merge request reports