API user guide suggests sharing API key #846
Description
The API docs at https://redash.io/help/user-guide/integrations-and-api/api/ include the following statement in the context of the Query Results endpoint (emphasis mine):
Appending a filetype of
.csvor.jsonto this request will return a downloadable file.
If you append yourapi_keyin the query string, this link will work for non-logged-in users.
My understanding is that Redash allows users only to generate a single API key that has the same permissions as the users, including listing/executing/modifying all queries that the user has access to.
This advice seems ambiguous, and might lead users to accidentally expose their API key, and compromise all datasets that the user has access to through their Redash instance.
Edit: A colleague pointed out that this paragraph likely refers to query API keys, as mentioned further above on that page. Nevertheless, it would probably be a good idea to avoid this ambiguity.