The task queue can invoke admin secured urls when you use push, which would normally require IAM access. If you set it up like that (assuming you can trust your admins) all invocations can be trusted, regardless of headers etc.
Presumably in this case you'll still need to send a user identifier for context, but you can assume the operation was authorized by the call that queued the task. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/174032e4-2499-4bf5-b036-004f10a21a9b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
