We are working with a self-hosted deployment (a docker setup) with skygear-server and skygear-chat. The API_KEY is known to our web application as well as to the iOS and Android app and it is therefore possible that the key is known by an attacker. Therefore i have the following questions:
Is it possible to restrict some calls to the API (e.g. query request to fetch all users?)
Is it possible to change the API_KEY without restarting the server (e.g. if we would like to change the key every night?)
Thanks for you help.