API Scope for /admin route

I’m struggling to understand what scopes are necessary for accessing /admin/users/list/active.json. Is it possible to do it without a global key? I’ve created a single user key for an admin user, with the “Read”, “Read Lists”, and “Check Emails” scopes, but I get a 404. If I use a global key, the same query works fine.

My high level goal here is to list the users (with emails) in a community with the most minimal set of permissions necessary. The existence of the “Check Emails” scope makes me think this is possible, but I can’t figure out how to do it.

Thanks!

As far as I know, the routes that you see listed when you click the link icon next to each of the scopes on the new API key page are accurate. Each scope only allows you to access the routes that are listed. For example:

Gives you access to /users/:username/emails and /u/:username/emails

There isn’t a scope that can be used to limit a key to the /admin/users/list/ route. That means that you will have to use a Global key to access that route.

1 Like

To suggest new scopes, or new routes to existing scopes, you can propose changes to the file linked below. For example, users.admin_list sounds like a fine name for this scope.

https://github.com/discourse/discourse/blob/master/app/models/api_key_scope.rb#L23

1 Like