If non administrative user type http://Distribution-s:4799/QMS/Service
then non-administrative user can make a request to GetTimeLimitedServiceKey. The keys obtained from this endpoint are required to access the majority of administrative API calls within the QlikView application. How will I restric it?
For most API calls the user needs to be a member of the “QlikView Management API” group
If the user isn't a member of that group on the QlikView Server host, they won't be able to do much with the API.