Feature Request: Specify Comment Author

Right now, posting to the /tasks/task-id/stories endpoint adds a comment to a task which is authored by the currently authenticated user.
Reference: Build an app with Asana

Are there any plans to allow specifying which user should be the comment author? Right now I plan on storing each of my team’s personal API keys for use based on which user the comment should be authored by, but it feels like a bit of a hack.

Thanks!

1 Like

Hey @Josh_Niemeyer,

Thanks for reaching out. Can you tell me a bit more about the integration you’ve built? There are no plans to allow a Personal Access Token (PAT) authenticated script to choose a comment author. As a workaround, you could use a bot account for the PAT and then append an author’s name to the text of a comment.

Another option would be to use OAuth which would allow users to comment as themselves when using an integration.

We advise against accessing or storing other users’ PATs. These should be treated as passwords (i.e. not shared).

Cheers!
Jeff

Hi Jeff,

Thank you for taking the time to reply here!

I’m working on an application to migrate Basecamp 3 projects into Asana. Right now this is strictly for internal use, but may be available publicly in the future. I plan on utilizing Oauth within my application if it ever goes public, but right now using personal access tokens for my internal team makes the most sense to get up and running.

Speaking of Oauth, I see that your tokens are only valid for 1 hour. You grant refresh tokens, yes, but this seems like a relatively short time period. Especially if someone were to have their entire team authorize my app, by the time they get everyone authorized, one of their tokens will have expired and they will need to restart the process.

There’s never a need for a user to restart anything. If you do an API call and get back a result that the token has expired, just call the token exchange endpoint passing your refresh token and grant_type=refresh_token; you’ll get back a valid access token and you can then re-do the original call with that new token. It’s all transparent to the user.

1 Like

Hi Phil,

Forgive me for missing that point in the docs… I’m fairly new to Oauth and I was afraid that a token expiration of 1 hour would cause unending app interruptions for the user. This makes much more sense now. Thanks!