Anomalous API results


I’m trying to run an API call to create a new topic. Discourse API Docs

Using Postman I am sending in the API Key / Username / Content-Type as Headers, and JSON data in the body.

I have verified the API Username and Key are correct, but, the API call returns the HTML of our sign in page.

Is this expected? How can I work around that?

1 Like

Can you please paste the cURL version of the API call you are trying to make?



curl -X POST '' \
     -H 'Api-Username: RyanVeitch' -i \
     -H 'Api-Key: My-API-Key' -i \
     -H 'Content-Type: application/json' \
     -d \
    "title": "My fancy title",
    "raw": "Some random text to fill my topic",
    "category": 212,
    "created_at": "2020-06-22"

In the terminal I get this output:

HTTP/1.1 307 Temporary Redirect
Proxied-By: Service Gateway
Strict-Transport-Security: max-age=31536000; includeSubDomains
content-type: text/plain;charset=UTF-8
content-length: 138

Redirecting to a different URI:
1 Like

Let me know if you need anything else from my side to help in troubleshooting :smiley:

Appears that you have a very custom setup with a proxy in the middle.

That is not standard Discourse behavior, so it looks like this is caused by your special proxy thing.

Maybe there is a special Header you can send to bypass the proxy? Gotta check with that product docs.


Cool! Thanks @Falco - I’ll dig in with our dev team :slight_smile:


Hey @Falco - I managed to get through the proxy but I’m now being hit by 403 BAD CSRF Errors.

I see this thread seems kinda unfinished…

Do you have any thoughts on how to beat these errors?


I just tested your example curl command locally and it is working fine for me so the syntax is all correct. Is is possible the proxy is stripping some headers? That could be why you are getting the BAD CSRF errors because it can no longer read/access the api credentials.


Thanks @blake

Our proxy is fully custom in house built and it’s a front layer to the public.

I’m VPN’d into our internal network & I’m not hitting the public URL, I’m hitting the backend (behind proxy) URL, so, the requests shouldn’t be going through the proxy.

Our staging discourse instance is v 2.3.10

Does the API behave differently on that version?

1 Like

Nope, v2.3.10 still has all the header based auth stuff so it shouldn’t behave any different.

You are hitting this line:

which means your request is malformed in some way and it can’t detect that it is an api request.


Because this is a staging instance and not local you will have nginx or some other webserver running before it hits discourse. It’s possibly nginx is stripping some headers depending on your config. These may show up in the nginx logs.

This is the line where it reads the api credentials out of the request headers. You could also add some debug statements to this file to figure out if the headers are getting this far.



Thanks! I’ll take this up with our dev team :smiley:

Appreciate your help

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.