ESI API Key priveleges?

Hello. I was looking to join a corp and they requested that I give them an API key to ESI so they can effectively spy on me. I’m a developer so obviously this raises huge red flags. While this is obviously majorly messed up apparently a lot of corps do this.

But my concern is not with the spying (which is still insane) but the fact that ESI may have more powers than it lets on. Publicly documented on the Swagger interface (https://esi.evetech.net/ui/) it doesn’t show anything about the skill training system, however the Eve Portal mobile application is supposedly built on the same OAuth 2.0 + ESI combo but allows me to change my skills around.

How do I know that giving a corp this spying privilege (which is still insane) doesn’t also grant them undocumented powers over my account? Is there some guarantees from CCP that these endpoints are not usable/accessible by regular applications? Perhaps it’s OAuth2 grants that only CCP apps can request?

Don’t know exactly where to post this question either, so I’m just sort of winging it here in hopes of getting a response that can at least could get me a slap on the wrist and point me to where I should be asking.

Mobile app has direct connection to TQ/database. It don’t use only ESI. That’s why you can change skills and trade Plex.

Go read some dev blogs when it was released or it was mentioned by devs, Hellmar itself in one of the streams. Probably on TiS

Another thing to bear in mind is that ESI isn’t all or nothing. Access to the endpoints is governed by scopes that are shown to you before you agree to grant those scopes to an application. Read the scopes being requested, and if any of them have write access without your understanding why, cross examine the corporation for justification. If there is an undocumented scope, that scope should still appear on your list if requested. Developers have to declare the scopes their application can access on the Eve developer website as part of gaining access to the ESI API, so an undoumented scope would have to be surreptitiously included somehow with web form trickery. Abuse of this nature would be easy to track down and such an abuser would likely face harsh penalties that begin with a lifetime ban from Eve Online.

Write access is not automatically terrible. For example, Eve Marketer has write access to my autopilot destination so that I can have it plot a course to a station with goods I wish to purchase and pick up. It’s always a good idea to understand what you are agreeing to, why you need to agree to it, and to request clarification if you are uncertain.

1 Like

That’s true that I’d have to agree to the scopes anyway. They seem a lot more fine-grained than say… Github’s (lol).

Now I just have to in some way stomach the fact that corps want mail/contact read access. It just seems so dirty and I hate it.

Then, don’t send nudes via eve mail? Or you are spy? They ask for that just to get minimal protection and control over information exchange. No one forces you to join that corp, join one that don’t ask for ESI or use alts, discord, whatever to communicate outside of the game.

You are making storm in glass of water…

1 Like

Many large corps and alliances ask for such information because every single new applicant is a spy until proven otherwise, and spies are more devastating to a corp/alliance than an entire supercapital fleet.

If you are not comfortable with giving out ESI information, don’t join the corp/alliance. Corps need to read your in game mail so that if you have any communications with enemies of the corp you will be rejected, they need to read your contacts to see who you’re blue to or red to. They need to see your wallet transactions to see if you’ve transferred or been given money by their enemies.

It’s not dissimilar to a IRL background check.

1 Like

as others said, corps have to be paranoid, because spies and betrayers are numerous.
Read that as an example of what can happen: https://kotaku.com/how-eve-players-pulled-off-the-biggest-betrayal-in-its-1806168400

welcome to eve, i don’t think that many other mmos can provide this kind of story. And personnally, i find it amazing

So, OP, corps are perfectly right to ask you these infos, and CCP provided the tool for that. If you don’t want to join a corp which asks you that, no problem, that’s YOUR choice. This is a sanbox.

2 Likes

You are mistaken 2 things

The game and official app, you actually log into your account hence it is a 2 way communication

Every other thing, you use the ESI API, which is a read only option

And most respectable corps will do a background check on possible recruits, for the sole reason that spying, theft and awoxing is legal in EVE, so you want to know who you invite in your group

1 Like

5 Likes