EVE Technology Lab

I think the fastest easiest and best solution is for CCP to remove the ability to change the CAK Type or vCode after it has been created.

If we have to call AIPKeyInfo to verify keys, then you have to do this immediately before EVERY api call to make sure nothing changed in the last few milliseconds. Congratulations CCP, you just doubled the number of requests made to the API.

Actually most of the time it won't be that bad as like in the past the API key info is cached for up to 5 minutes on their side so until APIKeyInfo changes everything should be correct and everything you get from the APIs should be for the old info. We are talking a unusual edge case here that is more likely to happen during development testing where people are more likely to do stupid stuff like re-tasking an existing key.

It would be nice if when changes are made to a key the API server won't allow any APIs to be downloaded until APIKeyInfo has been accessed again. If it would return an error code for the other APIs instead to let you know there had been a change it could even be handled automatically to force an update call on our end.

Have you considered that malicious users may exploit this bug to deliberately try to feed you false data ???

Seriously, the simple fix is to prevent users from changing either the Type, Corp or Character for an existing CAK. Ten minutes work on the support web page where CAKs are generated will fix this problem without need for complicated alterations to the API system.

Last few comments are great and all but they forget one point you only get 10 key period so what happens when you use them up? If you can't change them you stuck in a very bad place. Good example someone not knowing any better creates 10 key for a single character but then needs to make corp key since he is CEO and there are no directors in corp or the only ones are on the same account how could anyone get themselves out of that without being able to change a key? The feeling I got from CCP is they were only going to ever allow 10 keys and made them so they could be changed so they could be reused. Now idea of invalidating is great but what if you decided you want to have a key with same APIs etc? Are you say tough you get to just make another one and try to remember what you had? What if they need to keep the key, vCode the same because they don't have a secure way anymore to get the new info to the person that needs the access?

In the end the only ones that can truly solve this are the only ones that haven't posted to this thread and that is CCP. I have a feeling we're not going to get one from them without someone filing a petition/bugreport with the latter probably being the better thing to do. It will need to refer to this thread as well so they get a better understanding of what a problem it is.

Anyway another couple $0.02 ISKs worth of my thoughts on it I'm off to bed.