Restrictions on API

Romain · November 15, 2019, 9:35am

Hello,

I would like to know if it’s in the pipe to have and be able to put some restriction on the API.
For example, giving the possibility to only send GET requests and not others…
Thanks for the reply.

Regards

pfaffman · November 15, 2019, 1:36pm

What problem are you concerned about?

The API is how discourse works. The program is a javascript application that uses the API.

Romain · November 15, 2019, 2:34pm

It’s not really a problem.
I would like to scrape datas from that API for some client and for security reasons, not be able to interact with the forum through POST/DEL/PUT…
It can be manageable thanks to a firewall but unfortunately all clients do not have one.

david · November 15, 2019, 2:42pm

It is not currently possible to lock API keys to specific routes and/or methods. But we are hoping to add support for “scoped” API keys in the near future.

For now, we recommend that you attach the API key to a user with the lowest possible permissions. If no admin/mod permissions are required, attach it to a regular user account.

Romain · November 15, 2019, 2:46pm

Ok perfect, i will do that.

Thank you to both of you!

Topic		Replies	Views
Enable user to Generate API key feature	5	1474	May 14, 2018
Use scoped API Keys admins rest-api , how-to	6	2016	September 26, 2020
Group restrictions API on Category support	1	660	September 25, 2020
Discourse_api gem help support	3	640	June 24, 2019
How do I set up a read only API for my forum page dev rest-api	1	182	January 16, 2024

Restrictions on API

Related Topics