Yes .. I wouldn't enable this flag if possible ...

I see that the "reset password" feature uses a similar method

it creates a temporary appkey, and the link sent by email redirect to a mashup to set new password (with the appkey as parameter !) 

but this is not a standard mashup ... it is in a different path (/formlogin/reset...), it is a system mashup outside the "composer" management, and as you can understand it works even id the "use appkey as parameter" flag is OFF, it has a different management.

Are there other possibilities ?

Can those "system mashups" be created with an extension ?

Even if I know the usecase seems solid - open mashup without logging in, the current soft "deadlock" (the deprecation of the AllowAppKeyAsURLParameter) does not make this a very feasible option long term.

I would suggest explaining to your customer/usecase owner that you really need to log in if you want to access the application. Usually in an enterprise this is a bit easier if they setup ThingWorx with SSO - they can login once. Again, maybe this won't work for reasons I'm not aware, but it is what it is.

If that's no go, another option is to enable that checkbox, and engage in discussion with your relevant PTC counterpart (through your Partner Manager/Customer Success Manager) to see how PTC will tackle that issue on long term, that is, what capability will they offer to support accessing mashups without logging in.

We cannot use SSO for now, we use native thingworx users.

On my case I have to open mashup with appkey for a single special operation.

and the appkey will be temporary (lifetime is few days) and it also will be deleted immediately when that operation is done.

A thingworx user will to this operation just one time in its life.

What do you mean for soft deadlock with the appkey ?
I read that the only "issue" with is that the appkey is cached and can be easily retrieved by the user.

Ok ... but if that appkey will be deleted by the system after little time... do I have other possible problems ?

By "soft deadlock" I referred to the fact that that checkbox is deprecated and there's no official alternative that replaces its capability.

Regarding your last comment, that indeed is true (you can delete/expire appKeys), but the caching aspect is generally seen as a bigger issue in these security issues.

You can make the system delete an appkey after login - use the Security Monitor's ApplicationKeySucceeded event.

However, keep in mind that if you ask an IT security expert, he will probably have some objections against this method. This is usually the case in these matters.