Can non-admin user issue their own API key?

Hello :wave:,

I’m making a GitHub action posting to the Discourse forum.
I found the post API, however, the document says Discourse users need to create an API Key from the admin panel, even though non-admin users have no admin panel. Here I have several questions:

  • Is the API key designed even for non-admin users?
  • If so, how non-admin users can create their API key?
  • If so, to enable the API key for non-admin users, is there any necessary settings?
    • The forum’s preferences page has no interface to create an API key. So I guess that there are some settings that let users issue their API keys.

Thanks in advance! :pray:

1 Like

Hello @KengoTODA, welcome here! :slight_smile: :wave:

User API keys specification will be helpful for what you have described.


Thank you! I’ve checked the ‘API key generation flow’ part.

I understood that it’s for web applications that can provide auth_redirect URL.
Is there any recommended way for CLI or GitHub Actions?

If this is for a GitHub Action you will probably be better off creating a scoped api key, that only allows the actions you need, but yes you will need to be an admin to create this key.


For CLI programs, if this is necessary, you can launch a local web server and use a http://localhost:XXXXX/callback URL. The app does something similar.


OK I’ll have a try, thanks for your support!

1 Like

You can create an user API following Generating User API Keys for testing


I’m working in this branch, and successfully run the command using localhost as redirect URL. However, after I click the button to authorize, the page reported a JS error and it could not proceed the operation. The ruby script works but it also fails when I add auth_redirect parameter.

Here is the exception reported in the browser console:

Uncaught TypeError: Cannot set property 'isReadOnly' of undefined
    at Function.createCurrent (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:44867)
    at Function.current (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:8816)
    at Object.initialize (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:70403)
    at Object.i.initialize (_application-42d4413fabab7a4b12e0c25fb01f736af560aa283089071a8493f37c9b042a4a.js:7001)
    at _ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:49660
    at i.each (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67904)
    at i.walk (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67891)
    at n.each (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67858)
    at n.topsort (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:67758)
    at t._runInitializer (_ember_jquery-189e46ebcb33594b835e782fd1ce916ec750bc0cf980ebc4fb7796649161a18d.js:49667)

I will attach the screenshot from JS code analysis. it seems that the siteAttribtues is expected to be proper value, but it’s undefined. If you have any suggestion to me, please let me know. Thank you!

スクリーンショット 2020-12-15 085706

I’m investigating this issue.

The JS throws an error, because the POST method for /user-api-key returns 403 and build_not_found_page method in the controller does not invoke the preload_anonymous_data method that stores preloaded value.

It’s not sure why the server responded 403 with <h1 class="title">Oops! That page is private.</h1> when I added auth_redirect param. I tried to use the same domain for callback URL (to verify cross-site scripting issue) and HTTPS protocol, but no luck.

You need to add the domain (and path) to the allowed user api auth redirects site setting.

If you’re manually issuing HTTP requests, then discourse://auth_redirect should work.


Thanks, I found the config in the site_settings.yml and understood why my request met 403.

The discourse://auth_redirect does not work as expected to me, so I’ll try to ask users to input the encrypted token manually, just like the ruby code.

Note for other users: I created a node module which can invoked via npx command. It’ll create an API key with write scope. Hope that it helps set-up process of systems which needs Discourse API token.


Edit: Hi @KengoTODA. Your github code was helpful in pointing me in the right direction. Still working out a few things, then I’ll write up a bit of how I got things working.

@KengoTODA 's github code helped me a lot. I now have a working version of authenticating users on a per user basis to make api calls to discourse. I wrote up my steps here: User API keys specification - #45 by JQ331

1 Like