This will help, yeah.
It still doesn’t address the original problem of the message being misleading for admins though.
○ → curl -X POST -H "api-key: $API_KEY" -H 'api-username: michael' https://try.discourse.org/users.json --json "$(jo email=michael+test@contoso.com username=michaeltest password=$PASSWORD active=true approved=true)"
{"success":true,"active":true,"message":"Your account is activated and ready to use."}
○ → curl -X POST -H "api-key: $API_KEY" -H 'api-username: michael' https://try.discourse.org/users.json --json "$(jo email=michael+test2@contoso.com username=michaeltest2 password=$PASSWORD active=true approved=true)"
{"success":true,"active":false,"message":"Your account is activated and ready to use."}
^ only a single user was created above
I’m inferring a lot of obfuscation was put into the /users.json path to deter spammers etc. but this seems to be making things difficult for admins as well. I wonder if we should add an explicit admin path to separate the two (normal account creation vs. admin account creation) which will allow the admin function to be unobfuscated.