token access security

[adibranch]

Hi,

Just wondering about token access. We have a site on the server that a 3rd party wants access to via an API token. The token key will be stored in plain text on a config fiile in the sites public folder. I am aware that i can create a token in the accounts cpanel, and also within WHM.

I have a couple of questions.

1) If i create a token within the sites cpanel, does this prevent root access to the entire server
2) Is storing the token key in the config file a security risk?

I'm finding conflicting information on th enet and also on here.. The server support says a token created in cpanel will not in any way allow root access. However, i am wary.

 

[cPRex]

Hey there! If the token is created in cPanel, it would only have access to that specific cPanel user, and only access to what that cPanel user can do. If there are additional restrictions on the account, the token wouldn't be able to exceed that. The token can not get root access to the machine - root tokens would need to be created in WHM to have that type of behavior.

More details on the cPanel-side tokens can be found here:

How to Use cPanel API Tokens | cPanel & WHM Documentation

This document explains how to use cPanel's API tokens.

docs.cpanel.net

 

[adibranch]

Thanks. So there is basically no way that anything can happen outside of that account.. thats good to hear. I guess its still not ideal storing the key in a plain text file though.