Recently I was learning with hackthebox machines, and I noticed that the reset machine functionality provided by the web application was a call to an API. So the authentication was different than in the Web application. I reported the issue but they told me that they are actually aware of this already and are working on implementing rolling API keys. This has nothing to do with session/cookie data, as API keys grant access only to the API, while other website functionality is still restricted.
From my point of view this is an issue because this functionality is provided under the web application and not by an external API isolated service (is just one HTTP POST call), so is somebody is able to get my token could play every day reseting machines with something as simple as this HTTP POST:
curl -i -s -k -X $'POST' $'https://www.hackthebox.eu/api/vm/reset/133?api_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
This is just my thoughts about APIs, called WebAPIs, and the authentication applied to this type of HTTP services, should have more authentication mechanism? In my opinion yes, not just a token string, like other user identification id, expiry date, session expiration, operation id, link the token with the user cookie or session, etc.