I plan to use API calls to pause a sensor when a machine reboots to apply updates. However, I discovered the passhash can be used to access the WebUI, eg: "https://example.com/?username=apiuser&passhash=1234567890".
This is a problem. I can't hide the hash from local admins on those servers, but I don't want them to be able to gain access to the WebUI. I found some posts on this board that indicate the hash should not work for the web interface. Is this a bug?