Thanks for these details, that’s exactly what I was trying to understand.
That’s exactly what I was going to say, everything that comes to this Open API is not encrypted.
That’s for sure, as soon as it’s possible, we need to encrypt, but it won’t be possible in all cases. You are probably right about Tasker, it’s worth studying, but I only took it as an example. There will be other applications/services where it won’t be possible, Totof mentioned PhoneTrack here: Utiliser Owntracks avec Gladys 4! - #24 par Totof, the data is transmitted in an HTTP request, we won’t be able to encrypt from the application. In your presentation of the Gateway, you talked about connecting with external services (Google Assistant, Alexa, IFTTT…) I don’t exactly know how they work but if they need a webhook to Gladys it will be the Gateway and once again we won’t be able to do anything about it. I totally understand the goal of end-to-end encryption, personally I am completely for it, and Gladys has among other things essential points the security and respect for privacy. Unfortunately in some cases we may need to trust (like for OwnTrack), provided that we properly warn the user in the documentation. We do our best for encryption and we are transparent for the rest.
As for the list of routes in the Open API, I don’t know if it’s worth putting all the routes of Gladys. I don’t have many scenarios in mind yet, but limiting the Open API to a few routes that really need it would push us to really limit this data exposure to the Gateway and force us to always look for the most secure solution.
As you say, the reflection remains completely open, I will continue to study this over the next few days.