Discobot gives certificate from wrong user

After completing the basic tutorial, I’ve had at least three users get other users’ certificates from Discobot. When looking at the url, the date and user ID are different from what’s on the delivered certificate as well. The url is showing correct info, the image is not. https://tokenae.com/discobot/certificate.svg?date=Jan+31+2026&user_id=12

I’m not sure what’s causing this. I’ve had other users do the tutorial hours before ones that get the issue and get their proper certificate just fine, we’re even getting different certificates assigned incorrectly, as in user x gets user y’s cert, then user c gets user b’s cert. Also, the bot’s message text is showing the correct username when addressing them, so by all appearances it should be getting this right.

Any help would be much appreciated!

I can’t reproduce this issue in our hosting. Which leads me to think that this is possibly a problem with caching, likely on your server or your CDN, if you are using a CDN.

The route here is marked to be cached for 24 hours, however, some configuration don’t store the query parameters when they cache the request, which would explain why it’s showing the wrong image to the wrong user.

Since I don’t have a repro on our hosting, though, can you test this branch and see if it actually does fix your issue? DEV: Skip caching discobot certificate generation by pmusaraj · Pull Request #37495 · discourse/discourse · GitHub (It’s a one-line change that just removes the caching on this route.)