Help needed with API header

We are making API requests on behalf of our customer, and all endpoints require an x-user-email header. We tried populating different values in this header only to discover that it not only does it accept any email address for TrueCar, but rather any email of the format: {email}@{customer's domain}, be it registered or unregistered. This poses a bit of concern for them, as they would only want the data accessible to the email shared in the header to be searchable, but evidence suggests that same response is received as long as the header contains any email with customer's domain.

Could you share any context as to why we're observing this and how can we actually perform actions on behalf of that user for whom the email header is provided?



1 comment
  • Hi. I'm going to route you to our Support team to get this looked at further. If you don't mind, can you have your customer submit a ticket here so we can get them and you to our API team to investigate this further?

    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post