Heya guys, we have a question regarding authentication: OAuth vs Personal Access Token (PAT) vs enterprise service accounts.
We are Integromat - a user-friendly automation platform with a visual UI that allows you to connect more than 1000 apps (including Asana) together.
One of our clients has asked us whether it would be possible to also start supporting authentication for the enterprise service accounts. The client is an automation agency which is providing services mainly around Asana. The client has dozens nay hundreds of clients of their own. The reason why they asked us about this is that they sometimes have a hard time getting regular “user” accounts from their clients which can be used for authentication via the OAuth flow. Our understanding is that in order to start supporting authentication for enterprise service accounts, we need to start supporting PAT. This is what we see in your documentation: “Use Service Account tokens as organization-level substitutes for Personal Access Tokens.” (link here)
However, we did not originally develop the PAT authentication because we did not want to get into potential trouble since your documentation also states “Personal Access Tokens are designed for accessing the API from the command line or from personal applications.” (link here)
We’ve checked with our developers and we can develop the PAT authentication method but we cannot limit what auth method is used by which user. E.g. even a non-enterprise regular user would be able to use the PAT to authenticate instead of going through OAuth.
We are wondering whether supporting PAT under these rather complicated circumstances would be against your rules or not. Can you please bring more light into this?
Thanks a bunch!