I am having an issue with embedding discourse in our intranet site.
The API documentation states the discourse request requires the headers “API-Key” and “Api-Username” to authenticate and gain access to the feed. However the Pre-flight check says that “User-API-Key”, “User-Api-Client-Id” are the allowed values.
When called not through a browser this work as expected. But when calling through the browser the server is claiming it requires “User-API-Key”, “User-Api-Client-Id”.
I checked basic connection worked with PostMan this behaves as per the discourse docs
If we pass the Headers from the Docs the browser blocks the request due to Pre-flight check and gets a Access-Control-Allow-Headers CORS error.
If we pass the headers the server will accept we get a “not authorised error” because the application expects differently named values.
I have tried adding headers to the docker config but it doesn’t seem to apply. The CORS enabled and origin of ‘*’ is in the config.
We have two different API authentication systems, which can be confusing.
These are for the ‘admin API’, which is described on docs.discourse.org. This is not designed to be used from javascript clients.
These are from the “User API” specification, which can be used from a javascript client (and therefore supports CORS). There are more details about this here: User API keys specification
