I have test the QPS API successfully from https://github.com/goldbergjeffrey/qsticket . But I don't understand why the Xrfkey is designed as a static/dynamic 16 arbitrary characters string. Is it possible to use the dynamic Xrfkey to track the per-http request with some Qlik Sense log?
> Are there any security concerns by not changing it for every, either session or for every request?
No, there are not. Validation of the header and URL param being the same nominally is a layer of security but for all intents and purposes, that isn't anything close to real security.
> If there are none, could we not all just use the value 'QLIKSENSEXREFKEY' always? > I know the xrfkey can be static, meaning the same hardcoded value, always. > But should it?
I guess I'd frame things this way. If you have a robust integration layer which is making significant use of QRS API calls to automate activities, then it would be ideal to have a dynamic xrfkey. Presumably (and hopefully) you would have a fairly detailed transactional log in the integration layer which then can be joined together with the Qlik Sense Enterprise logs to audit an event. If everything is static (i.e. same user, same xrfkey) then debugging is basically not possible. You'd know it wasn't Qlik Sense Enterprise itself which did some activity (e.g. delete an app) but what module / routine / code actually made the request wouldn't be discernible from the Qlik side.
If you've got a batch job which runs once a month, then you likely don't care about tracing / logging / auditing a whole ton.
