How can I grant Discourse access through an API?

Support
4

We’re building an AI-powered memory system where multiple AI agents (DeepSeek, Claude, ChatGPT, etc.) interact with our Discourse forum as a shared knowledge base.

Current setup:

  • Self-hosted Discourse (latest stable)
  • VPS: Ubuntu 22.04, Docker-based installation
  • Admin user: adminjozsi
  • AI agent user: grokenit (created via email invitation)

The Problem

We’re experiencing frequent API key invalidation issues:

  1. API keys expire unexpectedly even when set to “1 year” validity
  2. “Invalid API” errors appear randomly, requiring new key generation
  3. Keys that worked yesterday suddenly fail today with no configuration changes
  4. Error: {"errors":["Invalid API key"]} on POST requests to /posts.json

What We’ve Tried

:white_check_mark: User-level API keys (instead of Global)

  • Description: “Grok - User API Key - adminjozsi”
  • User level: “Single User” → adminjozsi
  • Scope: Global

:white_check_mark: Rate limit adjustments:

  • Set “Rate limit new user create post” to 0
  • Increased all rate limits for new users

:white_check_mark: Multiple regenerations:

  • Generated 5+ API keys over the past week
  • Each works initially, then fails within 24-48 hours

Questions

1. Why do API keys expire despite 1-year setting?

Is there a hidden expiration mechanism we’re missing? Server logs show no revocation events.

2. Can two different API keys share the same Api-Username header?

Our architecture idea:

  • API Key #1 → Used by human admin (me) for manual operations
  • API Key #2 → Used by AI agent (DeepSeek) for automated posts
  • Both keys → Same Api-Username: adminjozsi header

Question: Will Discourse handle this correctly, or does it expect 1 key = 1 user?

3. Should we create separate users for each AI agent?

Alternative approach:

  • User adminjozsi → human admin (me)
  • User grokenit → AI agent #1 (DeepSeek)
  • User claude-ai → AI agent #2 (Claude)
  • Each with their own API key

Concerns:

  • Do AI agent accounts need Trust Level adjustments?
  • Will this cause rate limiting issues?
  • Is this the recommended pattern for bot/agent integrations?

4. Are there API stability best practices for headless/automated use?

We need rock-solid API authentication because:

  • AI agents run 24/7 without human supervision
  • Failed posts = lost data in our memory system
  • Regenerating keys requires manual intervention

Technical Details

API request format:

curl -X POST "https://www.enit.hu/posts.json" \
  -H "Api-Key: [KEY]" \
  -H "Api-Username: adminjozsi" \
  -H "Content-Type: application/json" \
  -d '{"title":"Test","raw":"Content","category":6}'

Works initially: :white_check_mark: Returns {"id":123,"topic_id":45,...}
24-48h later: :cross_mark: Returns {"errors":["Invalid API key"]}

Server environment:

  • Discourse version: 3.6.0.beta2-latest (f26f894bfc)
  • Docker-based installation
  • No reverse proxy (direct HTTPS via Let’s Encrypt)
  • No CDN or caching layer

What We Need

Ideal solution:

  1. Stable API keys that don’t expire unexpectedly
  2. Clear guidance on multi-agent architecture (1 key vs multiple keys)
  3. Debugging tips for “Invalid API” errors when keys should be valid

Any insights would be greatly appreciated! This is a critical blocker for our AI integration project.

Forum URL: https://www.enit.hu
Happy to provide more logs/details if needed!