When designing software there’s always a balance between flexibility and complexity. On one hand you could design for every conceivable situation, but trying to explain it simply would be impossible. On the other hand, you could design something that’s simple to use, but would quickly fall down when applied in the real-world.
I feel we’ve found a middle ground with the security we’ve built for the BinaryOps APIs. We’ve implemented a system that applies simply, which should be adequate for most cases, but with a little more effort, it can also accommodate the complex situations. We’ve implemented a system of Users, Roles and Groups.
There’s one more thing. Not every Entity needs to be queried by a named user. Sometimes data is wide-open to the public, so we’ve created the notion of an anonymous User. This is a special API user account, that can have Groups assigned to it like any other. API requests without a Bearer token in the ‘Authorization’ header will inherit the permissions assigned to the anonymous User.
I hope that gives you an understanding of how we’ve made securing your API simple, yet allowed for the flexibility to secure your API in whatever way you need.