...
Point 5 above has the following implications:
The user (datagateway) front end must provide a valid user ICAT session token which the API checks is valid. This means that theoretically, it would be possible for a user to create a DOI for guessed Investigation, datasets or datafile entities, as long as they are logged in and have a valid session token.
As there is no direct user authentication in the API, there is no way of knowing exactly who the user is. A user does not have to list themselves as a creator, nor does the API add any users related to the icat entities. This means:
a user could take sole credit for work which involved others
a user could create a doi given a fake name
A new user
doiminterwas created to assign to the DataPublication to