Hello. I was looking to join a corp and they requested that I give them an API key to ESI so they can effectively spy on me. I’m a developer so obviously this raises huge red flags. While this is obviously majorly messed up apparently a lot of corps do this.
But my concern is not with the spying (which is still insane) but the fact that ESI may have more powers than it lets on. Publicly documented on the Swagger interface (https://esi.evetech.net/ui/) it doesn’t show anything about the skill training system, however the Eve Portal mobile application is supposedly built on the same OAuth 2.0 + ESI combo but allows me to change my skills around.
How do I know that giving a corp this spying privilege (which is still insane) doesn’t also grant them undocumented powers over my account? Is there some guarantees from CCP that these endpoints are not usable/accessible by regular applications? Perhaps it’s OAuth2 grants that only CCP apps can request?
Don’t know exactly where to post this question either, so I’m just sort of winging it here in hopes of getting a response that can at least could get me a slap on the wrist and point me to where I should be asking.