Proposal: Always send an API key, i.e. just bake this into every request emitted by googlesheets. Consult the following sources for the key, in this order:
Sys.getenv("GOOGLESHEETS_API_KEY"), which gives user a way to set this across multiple function calls, possibly at startup via
getOption("googlesheets.api.key"), a fallback key baked into the package.
Currently implemented as
When will I send an OAuth2.0 token?
The Sheets API v3 has the notion of visibility:
The Sheets API v3 expresses visibility directly in its endpoints. A public spreadsheet has been “Published to the Web” and thus can be accessed by the API without authorization, while a private spreadsheet does require authentication.
Previously, I would inspect the endpoint URL. Presence of
public dictated that I would or would not send a token, respectively. But sometimes these URLs were, in fact, constructed by googlesheets itself. There was a moderate current towards building private URLs, even when public was possible. And that could lead to prompts to authenticate when it wasn’t strictly necessary.
This class of aggravation was further exacerbated by the gotcha re: Sheets being “Public on the web” vs “Published to the web”, which was not my fault (btw, I wonder if that’s still a problem?).
visibility is mercifully now gone:
In the new Sheets API v4, there is no explicit declaration of visibility. API calls are made using spreadsheet IDs. If the application does not have permission to access specified spreadsheet, an error is returned. Otherwise the call proceeds.
Thinking out loud:
sheets.spreadsheets.sheets.copyTo. Example of such a task: listing a user’s Sheets. Both of those will absolutely require a token. I will hardwire the inclusion of
google_token()into requests built against such an endpoint or into the requests formed in such an operation.