API: Can I authenticate without putting the key in the URL?

Continuing the discussion from Discourse API Documentation:

An unfortunate (in this context) characteristic of GET parameters is that they get logged all over the place, possibly including the discourse server, load balancers or proxies closer to the client.

Is there a way to provide the authentication details other than as GET parameters? E.g. many APIs allow for them to be passed via a custom HTTP header.

1 Like

I don’t believe there is support to put the parameters in the header, but you can put them in the body of the request and not as part of the url.

Using POST where I mean GET might work, but it’s icky at best. Arguably it’s a bug if POST is accepted in most contexts where GET is what’s meant, and I would be wary about assuming that wouldn’t become the case if it’s not now.

I wonder if there’s an OAuth based approach to be had?

I believe you can send the api parameters inside the body even in a GET request.

I believe this is how the discourse_api does it.

As your linked post says, giving semantic meaning to the body of a GET request is a violation of the spec.

Looking over how github does it, using basic http authentication looks rather straight-forward.

I don’t mind adding support for HTTP headers used for auth like S3 does, etc … submit a PR


Was this submitted? Am I able to authenticate with Authorization headers via the API?

I don’t think this has been done yet.

This is absolutely something I want to support and something the user API already supports.


Before that, should we send authentication parameters in request body for all GET requests? Or what is the best workaround?

Hi there,

Is there any news related to putting the API Key inside an Authorization header instead using a query parameter ?

User API allows this but server API does not quite yet. I would like to add support for it cause often it is cleaner to pass this info in headers, less risk of bad caching.


I’d love to see support for this as well, due to the mentioned reasons of loggings.

The Discourse API now supports, and recommends passing the authentication details in the request’s HTTP headers. See the updated Discourse API Documentation topic and the Authentication section of https://docs.discourse.org/ for details.