Restrictions on API


I would like to know if it’s in the pipe to have and be able to put some restriction on the API.
For example, giving the possibility to only send GET requests and not others…
Thanks for the reply.


What problem are you concerned about?

The API is how discourse works. The program is a javascript application that uses the API.

1 Like

It’s not really a problem.
I would like to scrape datas from that API for some client and for security reasons, not be able to interact with the forum through POST/DEL/PUT…
It can be manageable thanks to a firewall but unfortunately all clients do not have one.

It is not currently possible to lock API keys to specific routes and/or methods. But we are hoping to add support for “scoped” API keys in the near future.

For now, we recommend that you attach the API key to a user with the lowest possible permissions. If no admin/mod permissions are required, attach it to a regular user account.


Ok perfect, i will do that.

Thank you to both of you!