Discourse API Authentication


#1

I am looking at writing a third-party client to read a Discourse forum using the API. From reading the API documentation it seems that to make authenticated requests you need to use a generated API master key from the Discourse instance - but this gives you full access to the forum with any username (passed in using the api_username argument).

If the app I am developing is going to be distributed to end users, potentially using different Discourse forums, is there any way to purely authenticate to the API based upon their username and password (and only granting them rights associated with their account) - rather than a master API key?


(Sam Saffron) #2

You can generate an API key per user for this. See the admin user page.

In fact you can use your global api key to generate user api keys for extra meta points.


#3

Got it. Is there any way for users to authenticate to the API themselves, without the need for the admin to generate or provide an API key?


(Sam Saffron) #4

Not at the moment, you would need to write a plugin for that or submit a pull request (which I would be ok with provided the feature is default off)


#5

Thanks for the advice @sam


(Kane York) #6

Yes, set up UN/PW authentication and POST /session. This requires cookie storage, and including X-CSRF-Token in every request.

Example: