Appcenter: API token per app and per feature

This is a critical need and a major security concern for us and our clients (who include Government organisations).
The API token list indicates that such a mechanism is planned ("App" column contains "All Apps"), but there's no option to enable it at present.

@Minishlink We really like this idea. We can't make any promises at the moment, but will keep this open and watch for customer votes/thumbs on this issue.

@iageoghe Chuffed to hear you're so keen on this.

However, given that it's a significant security hole that may not even be obvious to some of your clients, I don't think you should prioritise this based on "votes/thumbs".

End-user organisations may not even be aware of the issue until a breach hits them. For example, if I have an API Token set up for access to Organisation A, and then Organisation B invites me to their App Center, suddenly both Organisations can tamper with each other's resources.

It is also inconsistent with the granular permissions provided for API tokens for equivalent/peer services in this space.

At the very least, please consider implementation a clear and obvious warning advising of the issue, and that the workaround is to create a single App Center account per Organisation.

@thetanz-geoff I would love to discuss this issue with you directly and get additional feedback, would you mind reaching out to me via email? We were unable to validate the bi-directional access portion of your claim, _”suddenly both Organisations can tamper with each other’s resources”_ however it is entirely possible that I missed something.

@iageoghe This is a very serious issue, and is one of the blockers preventing us from migrating off of HockeyApp. If it's not resolved before the HockeyApp shutdown we will have to consider alternative providers.

@chrisballinger We hear you loud and clear. Stay tuned.

Hello @iageoghe. Do you have any update regarding this request? We would like to create api tokens so only one token will be assigned to the app directly. It will significantly increase an overall security by limiting what user can do with generated api token. In just over a month HockeyApp will be shut down. It will be good to have this feature onboard as soon as possible to proceed with migration smoothly.

Hey @iageoghe We need to move from HockeyApp, but this feature is needed for us to migrate successfully. Do we have any update on this feature?

@khagesh @PatrykKaczmarek @chrisballinger We're discussing how to prioritize this work right now. As soon as I have more to share about when it's expected to land, I'll be back here to share.

And thank you for your patience. We're trying to get it done as soon as we can, given the rest of the work to finish up the HockeyApp migration.

@ScottArbeit Thank you for the update!

any progress on this issue?

@francho We are looking into providing tokens per app this quarter. We should have more details in the coming weeks.

@iageoghe Awesome, looking forward to it!

@iageoghe Any estimate on when we can expect this option of tokens per app?

Even if we could at least seperate tokens per organisation it would work for us.

App API tokens have just been shipped to production. 🎉 Updated documentation can be found at https://docs.microsoft.com/en-us/appcenter/api-docs.

Thanks to all of our customers who asked for it... we're all thrilled to deliver it. If you run into any issues using App API tokens, please open a support ticket by clicking the ? in the upper-right corner of any App Center page and selecting "Contact Support".

@ScottArbeit Awesome, thank you!