I have a django web app that exposes
/api to the world. I would like my regular users to be able to see both, but an external service to only see
/api. My API is read only and not particularly dangerous in the event an API ke gets loose, but the admin is obviously not safe to expose.
There doesn’t seem to be a way to scope the Access Service Token to particular path, and I can’t create a second “Application” that shares the same hostname. Am I missing something?
Second question - do I need to store the JWT token in my external application and use that for all future requests, or am I fine to use the ID/Secret for all requests? This is running in a serverless setting so either way it could be doing the initial auth many times anyways.