Project

General

Profile

Bug #7141

Updated by Tom Clegg over 8 years ago

This will make it possible to access public data anonymously directly through the API, without going through Workbench. 

 Ideally Workbench (and the download service, when that happens) will also learn this from the discovery doc instead of its own config file. 

 h3. Background 

 Even when reading publicly accessible objects, clients must provide a valid API token. We _could_ accept "no token provided" as being equivalent to "anonymous token", but we have decided not to: 
 * it's bad enough that 404 means "the object you are requesting does not exist _or_ is not visible with these credentials", without adding another possibility "... _or_ ((your credentials were not received at all for some reason) and (the object you are requesting is not public))". 
 * it's good to have fewer special cases in the authentication path 

 Aside: it wouldn't be unreasonable to use something like "*" or "-" (instead of the usual long string of random characters) as the anonymous token -- assuming there aren't any assumptions in the code base about length or allowed characters. 

Back