Hi @simon, thanks for your response. Let me explain our case in more detail.
We are building a mobile app that relies on backend logic from Discourse endpoints. When a user logs in through the app, the login data is sent to the Discourse API via session.json, which returns a cookie. This cookie is then used to redirect the webview to /user-api-key/new, prompting the user to approve authorization. After approval, the payload is decrypted into API keys.
In this case, we can use the API keys as a global token within the mobile app to access other Discourse endpoints. However, when the user logs out, the token should be removed from the global state so that they cannot access endpoints like creating a new topic.
My question is from this topic: how can we check if a user already has user_api_keys and if they are still active? If the keys exist and are active, the user should be able to use them after login. If not, the user will need to create new user_api_keys, which would require approval in the webview.
This is the main issue I’m facing.
Another solution I considered, based on a post from How to Retrieve User API Keys Value via API, is to store the API keys in our mobile app’s database.
I also referred to the post Generate User API Key Without User Approval - #2 by simon, which I initially looked at for API key implementation. However, the problem remains the same: when I check /admin/api/keys, we cannot retrieve the value of API keys already saved in the database or get API keys per user. I believe, for this implementation, we would need to store the API keys in our own database.