Get an API key's scopes and user level via the API

I was going to post this as a feature request, but figured I should confirm that it doesn’t already exist before doing that.

Does Discourse provide a route that can be used to get the scopes and user level of a given API key? The goal here is to confirm that an API key supplied to an external application has sufficient permissions but doesn’t have overly broad permissions.

Edit: after doing some research, what I’m asking for here is a “key info endpoint.” This endpoint typically allows clients to query details about the API key that they are using. This can include:

  • scopes
  • user level
  • validity
  • usage stats

In terms of the Discourse API, information about scopes and user level would be useful. Discourse API keys don’t have an expiration date, so if the key can be used to access the key info endpoint, it can be assumed to be valid.

I suspect this topic should be rewritten as a feature request. I’m not aware of anything like a “key info endpoint” for the Discourse API. A general use case would be for a service that builds apps that hook into the Discourse API. A specific example of where it could be useful now would be if the Discourse Zapier integration was expanded to add some more action hooks. The types of actions that could be performed would be dependent on the scopes of the API key that had been supplied to Zapier. To get around this now, it would be tempting to ask users to supply a Global API key. This would go against the principle of least privilege.

5 Likes