Delete user avatar by API


We have Discourse forum app that is connected to our app via SSO. User avatars are updated right through it. But our photos are moderated, so we need to clear user avatars on Discourse app side.

Can it be done somehow by REST API or by SSO mechanism enhancements? I cannot find this information in docs.

Thank you!

1 Like

You should be able to call the sync_sso route to re-sync the user avatar, but you can also make a PUT request to http://localhost:3000/u/<username>/preferences/avatar/pick with an empty upload_id


to delete the users current avatar and assign them a letter avatar.


@blake Error sending this request. I used post request.
“failed”: “FAILED”

Did you try a PUT as recommended?

1 Like

@pfaffman sorry i used put


You will have to use the sync_sso endpoint if you have sso overrides avatar enabled.


We use SSO endpoint, but it refreshes user avatar only on login. In our case we need to refresh it manually.

1 Like

Yea totally fine. You can make a POST request to the sync_sso endpoint manually at any time.

1 Like

Could you please attach link to the API doc for that endpoint?

1 Like

Here is some ruby code you can use that uses the discourse_api gem so that you can use it as a reference. The sync_sso endpoint is a bit different than other endpoints because you need to send it a signed payload.

client ='host')
client.api_key = 'api_key'
client.api_username = 'api_username'
puts client.sync_sso(
  sso_secret: 'abcdefghij',
  username: '24db27218ed09205a5a0',
  name: '24db27218ed09205a5a0',
  email: '',
  external_id: '684',
  avatar_url: '',

Do I get it right, that we can send POST /admin/users/sync_sso?api_key=...&api_username=...&sso=...&sig=... ?
Are ‘sso’ and ‘sig’ parameters similar to the same of SSO authorization flow?

I tried to perform request as explained above POST /admin/users/sync_sso?api_key=...&api_username=...&sso=...&sig=... and it responded 200 with my user, but user avatar was not updated without any log events. What am I doing wrong?

You should include the api_key and api_username in the http header because using them in the query parameters is deprecated.

I think there must be some protection in the code that prevents accidentally deleting an avatar if the field is left off or is empty. You will most likely need to provide a url to a default avatar to replace the existing avatar.

I replaced API credentials with headers.
SSO synchronization didn’t update user avatar with provided one. Although Sidekiq job in that call was completed and there was no error or warning logs.

You can turn on verbose sso logs in site settings to see if anything show up there.

Is the avatar_url you are providing public? Your discourse site will need to be able to access it.

1 Like