Pentesters found out that according to Matomo documentation “token_auth” is a secret hence it shouldn’t be visible in URL. It’s all fine but from “Quick access to APIs” section under Administration → Platform → API you can see that
force_api_session=1
is added there by default. I know that this token is generated on login and destroyed on logout or even after 30 mins of inactivity (by default)
I am not talking about API calls initiated by external apps / codes etc.
I am strictly talking about “Quick access to APIs”.
Even though i assume you cannot use url with token_auth found somewhere in web browser with another MATOMO_SESSID (not related to original token_auth) they base on Matomo documentation that “token_auth” is a secret.
Is it possible to somehow hide this token_auth from URL or move it to headers in API calls initiated from website
