An unfortunate (in this context) characteristic of GET parameters is that they get logged all over the place, possibly including the discourse server, load balancers or proxies closer to the client.
Is there a way to provide the authentication details other than as GET parameters? E.g. many APIs allow for them to be passed via a custom HTTP header.
Using POST where I mean GET might work, but it’s icky at best. Arguably it’s a bug if POST is accepted in most contexts where GET is what’s meant, and I would be wary about assuming that wouldn’t become the case if it’s not now.
I wonder if there’s an OAuth based approach to be had?
User API allows this but server API does not quite yet. I would like to add support for it cause often it is cleaner to pass this info in headers, less risk of bad caching.
The Discourse API now supports, and recommends passing the authentication details in the request’s HTTP headers. See the updated Discourse API Documentation topic and the Authentication section of https://docs.discourse.org/ for details.