Hi Florent,

You are correct that there are some differences between the GraphQL and Webservices API in this regard.

The GraphQL API is currently designed to use a service account to execute requests, rather than assuming the role of the requesting user.

That said it would be possible to add per-user OAuth2 to provide individual user access in a secure way (known as 3-legged), it's just not something we've implemented support for in GraphQL yet.

The current web services approach, while simple, is not really great either - sending a username and password as API arguments is not best practice and wouldn't be compatible with many regulatory regimes.

GraphQL uses the industry standard OAuth2 client credentials approach which means you can use a short-lived token that will expire quickly if intercepted.

For your particular use case, and if you are comfortable with the security implications, there is nothing stopping you from continuing to use web services. While we won't be extending them any further we don't have any intention of removing them.

Simon