I've found what looks like a serious security issue with API app deletion.
After I deleted my API app, the API key still continued to work and was able to place live orders successfully. A user who deletes their app expects API access to be fully revoked. Right now it is not, which means orders can keep flowing through a key the user believes is already disabled.
Details:
Client ID: CUN131 API Key: bpjm****3ds Sample Order ID: 2066751146126925824 This order, along with a couple of more orders, was placed via API after the API app was deleted. Please compare the order creation timestamp against the API app deletion timestamp on your end — the gap will confirm that orders went through after deletion.
I have now cancelled the test order I placed to check this bug.
Expected behavior: Once an API app is deleted, the associated API key/session should be invalidated immediately and any further order requests should be rejected.
Actual behavior: The deleted app's API key still authenticates and places orders.
Please treat this as a priority fix since it has direct safety and security implications for users.
Thanks for reporting this. We're aware of the current behaviour and are working on a more robust solution to handle session invalidation when an API app is deleted. We'll update this thread if there are any changes.
