REST API is no longer experimental. It is now enabled by default and should be able to serve most of scenarios.

What kind of authentication do you want to happen if you disable API key auth? How do you guarantee that a rogue client won't just post to your API?

The API also has a need to attribute the calls to a user within MantisBT, hence, there needs to be someway to determine the user. In case of anonymous access, that would be the anonymous user and in such case there is no need for an authorization header.

Thanks for the response, @vboctor!

We host our bug tracker internally, so users outside the network won't be able to access it. I realize that this is definitely not best practice, so I plan to revisit that in a later implementation.

Ah, ok. I wasn't aware that the anonymous user could bypass auth if enabled. Should I just enable anonymous access and identify POST requests from our integrated application as that user?

You will need to have:

• Anonymous access enabled and such user must have enough access to do the actions you need to trigger via the API (e.g. report issues).
• Don't pass the Authorization header when calling the API which will auth as anonymous user automatically.

Having said that, I think you are better off creating a user for the API access and hard-coding the API key created for such user. This way you don't have anonymous access to your MantisBT and have users use that by mistake.