It's now possible to authenticate to the Batch API with OAuth. This is great and a big improvement in sending the key as a query string of the URL which is very easy for a bad actor to sniff out and copy.
However, there is no way to enforce that a certain key or institution uses this OAuth and it is simply there to future proof progressive consumers who are OAuth ready.
I've been contacting all of my Batch API consumers asking them to please start to use OAuth and put it in their road maps.
Can iSAMS add a checkbox to enable/disable the use of query string provided API keys so that we can effectively phase out their use as quickly as possible? I will insist on IP filtering for all consumers that do not use OAuth to help cover some of the risk.
SchoolPost have now consolidated to a single IP. Also thank you for marking this as a Next item. All the newer modules and developments are coming out secure by default. Unfortunately, the older bits the opposite and can require a lot of thought and work to secure after the fact. I don't imagine all schools understand all of the risks and mitigations so thank you for sweeping through the old bits to help secure them too.
This has become more pressing. SchoolPost have moved to a cloud with shared IP addresses. I can no longer secure the SchoolPost API key by IP effectively and so I can longer securely use SchoolPost Sync. If either iSAMS or SchoolPost took security seriously this could be resolved quite easily.