Need help regarding login API discourse


(Harinder Singh) #1

Can anyone tell me how I can use Login rest api for discourse?

How I can authenticate without API_KEY?

Means user will login using username and password parameters. Please help anyone?

I have found this one : - curl http://localhost:3000/c/test/sub-test.json?api_key=test_d7fd0429940&api_username=test_user

What is the purpose of username and password?

I need it really like this , User will login by entering username and password and get something like token or api_key.

Help Anyone please.


(Blake Erickson) #2

You are able to generate individual api_keys for each user.

admin --> Users --> click on the user --> scroll to Permissions section, API Key, press Generate

Is this not an option?


(Harinder Singh) #3

Suppose. When a user is registered and login with username and password. Means api is not required at that login time. Which api they used to login?

I got your point that we can create api’s for every new users what my question is how can I login with only username and password?


(Blake Erickson) #4

In theory you should be able to use the api with the username/password auth, I’ve never done it so I can’t walk you through it, but if you inspect the network traffic in the web browser you can probably figure it out.

The login page is using ember. Ember is sending a post request to /login with the username and password. I’m sure a temp token is being returned and ember is then making all the network calls with that token.


(Harinder Singh) #5

Thanks Blake,

I will check it and let you know if it works or not.

Please post here if you find any direct api for login using username and password.


(Adam Beers) #6

Any luck here? Trying to do logins with API using username and password. Can a token be returned and then used instead of api_key and api_username as parameters in the GET URL? Not very secure that way.


(Felix Freiberger) #7

The regular API (not the user API) only accepts cookies or API keys.

Why would that be insecure in your opinion?


(Blake Erickson) #8

It can be considered insecure because even with https the GET parameters can show up in log files or sniffed network traffic.


(Felix Freiberger) #9

They shouldn’t harm in server logs (the server knows the credentials anyway), and they cannot be sniffed – with HTTPS, the URL is encrypted, too :slight_smile:


(Adam Beers) #10

Right, but I’m not using HTTPS at the moment. I might have to look into doing it that way if the API doesn’t support another way.


(Adam Beers) #11

What do you mean by “regular” API and “user” API?


(Felix Freiberger) #12

If you are not using HTTPS, any security considerations are moot, and any form of authentication Discourse offers is horribly insecure!

The regular API ist what the web app uses, the user API is a recent addition and used by the Discourse mobile app.


(Kunal Kamble) #13

Hi @blake,

  1. Is there any REST API where I can pass username and password to get API Key?
    it is better I can authenticate user using username and password and once it is authenticated I get API Key as response.
  2. is there any API to enable/reset API Key as it is manual job I have to go to admin/users, then find API Key option and activate it for new users.