I’m working with the Discourse API, and have learned that in order to perform a GET one must include the API key and API username in the URL as a parameter:
curl -X GET "http://127.0.0.1:3000/admin/users/list/active.json?api_key=714552c6148e1617aeab526d0606184b94a80ec048fc09894ff1a72b740c5f19&api_username=discourse1"
One of the calls I’m making is:
If you change
show_emails to true, then you are exposing personal information.
Furthermore, if someone where to log HTTP traffic and gain access to your API key and admin user, they could pretty much do anything they wanted to your community.
I tried putting the API key in the header instead, but that didn’t work.
Am I I’m missing something, or is there a security risk to using the API with GET?