Support

No, you are right. That's the downside of the current JSON API implementation, it comes without logging in the user.

I will add a workaround for the delete API method.

The ultimate goal is to use the Joomla API application for Akeeba Backup's API. However, this is still not quite possible as it only supports Super Users, whereas the most sensible use case for backups would be to create a very limited backend user group role which has only access to Akeeba Backup. Ideally, that user group would only be granted the subset of privileges required for the remote backup operations one would want, for example just the backup privilege to run backups. This way even if the token leaked it would be both easy to reset and the effects would be relatively anodyne (to the extent that someone running continuously backups on the site is anodyne). I am only mentioning this so you have an idea what is in the back of my mind, pending support from Joomla itself — and why I am so invested in the Joomla API application 🙂

> Awesome, can you let me know once you have a dev build available? Will happily test it :)

Yup. Here you go: https://www.akeeba.com/download/akeebabackuppro-dev/9-5-1-dev202302161317-rev9602cd0.html

> What's your current blocker with API application and non-superadmin users?

The current implementation of the core API components is restricted to Super Users. For this reason, the API token plugin is limited to Super Users as per the discussion we had in 2020 when I contributed it to the core. There is the provision to add a user group multi-select field named allowedUserGroups in its XML file to allow non-Super Users to access it.

Otherwise, I would have to fork this plugin, which is in itself a fork of my FOF User Token plugin from 2018. To quote Lethal Weapon, “I am too old for this s…t” .