← Back to context

Comment by jeremyccrane

19 hours ago

In the user interface for Railway, all destructive actions require multiple confirmations, plus typing "apply destructive changes". Why would an API key (regardless of its scope) be able to delete without confirmation?

5 comments

jeremyccrane

Reply
lelanthran  18 hours ago

> Why would an API key (regardless of its scope) be able to delete without confirmation?

What do you think an API is for? There's no user sitting at the keyboard when an API is called so where would that confirmation come from? It can't come from the user because there is no user.

fetzu  18 hours ago

Isn’t the point of an API to have two computers talk to each other? As in “if I want safeguards for humans, it would be my responsability to put them BEFORE calling that API”?

lelanthran  18 hours ago

> Why would an API key (regardless of its scope) be able to delete without confirmation?

How do you see this working? Any confirmation would be given by the agent.

jbxntuehineoh  18 hours ago

... because that's how every other cloud provider API works? the AWS console makes you confirm before deleting a bucket; DeleteBucket does not