I am pretty sure the answer to 'is API token required" question is yes.
The slight complication is that this value can be passed as a header token, user name if using curl or in the passed url. So there is always the chance that other changes have caused an old way of doing something to break. As an example has the script been refactored to remove the use of curl and so the user parameter has been dropped without a header parameter being added?
If you have not changed anything on your end and authentication has been failing it would be worth raising a support ticket as the support team may be able to map the issue you have been seeing against any outages they have logged internally.
I am not a staff member, so my answers are based on what I know and what I can find in the docs, with some additional backup from circleci.
If you have been able to access the artefacts of a build without authentication it is something for staff members to look into as it means the only security in place was “Security through obscurity” rather than “Security through security”. The API docs clearly show that the Circle-Token should be part of each request.
I would say that you should raise a support ticket so that a staff member can look into this in more detail. I’ll also raise this thread via the channel I have access too.
Hi @mondaychen - during a brief period last week there was a regression to artifacts fetching on certain OSS projects. The only projects affected were ones that have enabled a specific setting that allows unauthenticated access to artifacts. I suspect that was what your coworkers noticed. I’m sorry for the disruption that caused you, and your colleagues.
Thanks a lot @rit1010 you were absolutely right to spot that this type of security related inconsistency is something to be concerned about. In this case the unintended change briefly disabled the permissive access, forcing authentication where it was not previously required.