I was going to make a blog post of this, but it turns out I don't have a blog. Sorry for the length, but I wanted to put this out there.
What is the GW2 API?
I had a spare hour this week and decided to look into the Guild Wars 2 API. You may have already used this without realizing it: it's the service that powers WvWintel and similar WvW status apps.
This summer ArenaNet extended the API to give out information about other parts of the game, and there's been a upsurge in new applications since. For the most part this is a very good thing. A lot of the information it exposes is general purpose: items, recipes, materials, dyes, WvW status, etc. This information is the same for everyone, so it doesn't require access to your account data.
Where the API key comes in
But the service can also share information about your account and characters. To access your data, an app needs your "API key". This is a passcode you request from the Guild Wars 2 account page.
- It's important to note that we're talking about in-game data only. Your email, login/password, credit card, and other outside-game details can NOT be accessed using the API.
The catch is the simplicity of API Key itself. It's a simple code which is essentially a free pass to your account's in-game data. As soon as you give the passcode to an application, you've released it 'into the wild'. Unlike when you grant Facebook access to a specific application, for example, this passcode can be used by other apps, other websites -- anywhere by anyone. It can be passed around, sold, even stolen from an application's database.
- For the nerds among us: the GW2 API is a web service. You call an endpoint using an http get or post, and the data is returned as JSON. To request account-specific data, the API key is passed in the ?access_token= param in the URL -- no auth! >More info >Sample call.
What's the worst that can happen? How likely is that?
First, this isn't a security issue. Handing out your API key won't make it easier for some bad guy to hack your account. But it is something of a 'gaming privacy' issue. Some examples of how your game data could be used:
- Your total gold, or your stockpiles of materials could be published. For example, a "GSCH's Most Wealthy" list.
- You could be pestered by random people trying to acquire something rare you happen to have in your bank.
- Your current builds and gear for each character could be published, GearScore-style, without your consent.
Again, it's just in-game info. Some folks will care about keeping it private, others won't.
As for how likely it is that this will happen--it already is. This week, GW2Efficiency.com published an interesting analysis of GW2 player wealth. They got the information using the API Keys of folks who registered to use their website. So far, they haven't shared any player-identified data publicly, and that's to their credit. But this proves they are storing the API keys, which leaves them open to an Ashley Madison style attack at the very least.
How can I protect myself?
The good news is that you can protect your GW2 API privacy in three ways.
1. Don't give 'em your key.
If you care about your gaming privacy, be wary of giving out your API Key in the first place. If the app or website doesn't need access to your data, don't give it an API key. For general game information find an app or website that doesn't require an API key.
2. Limit your risk from the keys you give.
To create an API key (or several), go to your account page, and choose the Applications tab: https://account.arena.net/applications/create
You can make multiple API Keys, and give them each a descriptive name and a unique set of permissions. This is good thing--it gives you some control over how much access you give each separate app.
- Create a separate key for each app
- Give it the minimum permissions required to use the application
- Be sure to give it a name to remind you which app you created it for
3. Delete unused and compromised keys!
This is your superpower to recall that passcode from the wild. (Once deleted, a key can't be used to access your game data.)
If you no longer use an app, delete the custom key you made for it. If you suspect a key has been compromised, delete it and make a new one to replace it.
Don't worry about running out of keys
As you can see from the pictures, these keys are really long! So long, in fact, that ArenaNet will have to generate a few trillion of 'em before they run out of unique ones. So reroll them as often as you'd like--I have (the ones in the pictures are already gone)!
I hope you find this helpful.
~Shmi