403 Error during multiple API calls

Ragavan_Pitchai · April 17, 2020, 12:53pm

We are using the following APIs to update and suspend users but we are getting 403 errors. Can you inform us what is the cause for this error. FYI, we are using API key of admin user.

Suspend API

`{{base_url}}/admin/users/316/suspend?api_key={{api_key}}&api_username={{api_username}}`

Request BODY

{
    "suspend_until": "3020-04-17",
    "reason": "inactive"
}

Response - 403 Forbidden

Email update

{{base_url}}/users/{username}/preferences/email?api_key={{api_key}}&api_username={{api_username}}

Request BODY

{
 "email": "discourse1@example.com"
}

Response - 403 Forbidden

pfaffman · April 17, 2020, 12:55pm

You need to put the API key in the header, not the url.

Ragavan_Pitchai · April 17, 2020, 1:07pm

Even tried it as well.Getting same 403 Forbidden with BODY-> [“BAD CSRF”]

simon · April 17, 2020, 4:17pm

The API credentials need to be in the request header. You also need to use a dash instead of an underscore for the header field names:

api_key needs to be changed to api-key (or Api-Key)
api_username needs to be changed to api-username (or Api-Username)

The rule is that the header field names are not case sensitive, but you need to use dashes, not underscores. (I learned this the hard way.) Have a look at the example at the top of Discourse API Documentation to see a properly formatted API request.

Topic		Replies	Views
[API] In the Documentation: Wrong Key in the API Suspend Bug	4	583	November 30, 2017
Generate/Regenerate api_key for a user API not working Dev rest-api	5	847	January 5, 2020
New to API, 403 Errors Dev rest-api	15	3316	February 1, 2023
Request header field User-Api-Key is not allowed by Access-Control-Allow-Headers Bug	7	2484	August 31, 2018
API endpoint users/by-external/ failing with authorization headers, works without Bug rest-api	3	509	June 26, 2023

403 Error during multiple API calls

Related topics