Discourse MCP User API Key Generator Error Nodejs >20

Support
1

Issues aren’t enabled in the GitHub repository, but please let me know if I should post this somewhere else!

When I run the User API Key generator, I get the following error:

Decrypting payload…
[2025-12-01T16:38:59.409Z] ERROR Failed to decrypt payload: RSA_PKCS1_PADDING is no longer supported for private decryption.

It looks like this has been unsupported by default since nodejs 20.

While that post mentions a workaround to re-enable the padding option, that appears to have been disabled since.

$ NODE_OPTIONS='--security-revert=CVE-2023-46809' npx @discourse/mcp@latest generate-user-api-key --site https://example.com --save-to discourse-mcp.json  --scopes "read"
node: --security-revert= is not allowed in NODE_OPTIONS

I’m a little confused, because the code for this was recently added in discourse-mcp/src/user-api-key-generator.ts at 51f144fff8847647d1ba7354d5bc1fe661110a43 · discourse/discourse-mcp · GitHub a few months ago. Perhaps everyone is just using admin generated keys?

3

A post was split to a new topic: MCP’s default query parameter hallucination

4

What OS, NodeJS and OpenSSL version are you running?

It works fine for me on

Linux
Node 24.5
OpenSSL 3.6.0


◄ 0s ◎ npx @discourse/mcp@latest generate-user-api-key \
             --site https://meta.discourse.org \
             --save-to profile.json

🔑 Discourse User API Key Generator

Site: https://meta.discourse.org
Scopes: read,write

Generating RSA key pair...
✓ Key pair generated

Please visit this URL to authorize the application:

https://meta.discourse.org/user-api-key/new?application_name=Discourse+MCP&client_id=discourse-mcp&scopes=read%2Cwrite&public_key=-----BEGIN+PUBLIC+KEY-----blablabla----END+PUBLIC+KEY-----%0A&nonce=1764619683010

After authorizing, you will be redirected to a URL like:
  discourse://auth_redirect?payload=<encrypted_payload>

Or you may see the encrypted payload displayed on the page.

Paste the encrypted payload here:  longkey

Decrypting payload...
✓ User API Key retrieved successfully

✓ Saved to profile: profile.json

{
  "success": true,
  "profile": "profile.json"
}

◄ 16s ◎ node --version 
v24.5.0

◄ 0s ◎ openssl --version
OpenSSL 3.6.0 1 Oct 2025 (Library: OpenSSL 3.6.0 1 Oct 2025)
2 Likes
5 
$ node --version
v22.15.0
$ openssl -v
OpenSSL 3.6.0 1 Oct 2025 (Library: OpenSSL 3.6.0 1 Oct 2025)

I just switched to node 24 via nvm and it worked! That led me to find Unable to use RSA_PKCS1_PADDING with v22+ - `--security-revert` suggests CVE-2024-PEND · Issue #55628 · nodejs/node · GitHub which ends with saying that this will never work on node < 24.

I suppose discourse-mcp/package.json at 858e5bd5092c7d31693554046db34f98671a8cb9 · discourse/discourse-mcp · GitHub should be updated to >=24.

Thanks!

2 Likes
6

Good idea

2 Likes