Should the password be plain text when creating a user through the API?

I’m creating a small windows application that will use Discourse as the SSO provider. The first step in that chain is allowing the app to create a user through the Discourse API.

I’ve got that working, however it seems that the password for the user is passed in plain text and I’m wondering why that is? It seems like that could be a security issue… is the thought just that people should use SSL and that’s good enough to protect the password?

Yes, SSL is considered sufficient to protect secrets in-flight. Until the world sees the light and switches to something like TLS-SRP, sharing secrets over a secured channel are pretty much all we’ve got to work with.


Can we send encrypted password instead of plain text password ?

is there any way to pass an encrypted password instead of plain text password ? we are developing one app in which we are using /session api for checking authentication of the user. where username and password need to be submitted. i noticed one thing that lets say if you go to browsers developer tool , where you can actually see your plaintext password which we pass while logging. so if anybody has my laptop access, then password may get hacked right.

1 Like

If SSO is enabled, the password is not being used at all, so this is not an issue.
Just provide some random characters.


if you want to go the extra mile, you can do certificate pinning in your APP to make sure there is no man in the middle attack.


As long as you’re using TLS, passwords are sent encrypted. If you’re not using TLS, you’re on a fast train to doom regardless.

If you meant “hashed” rather than “encrypted”, then no, that is not a supported configuration, because the hashing mechanism used within Discourse is not a part of the public interface contract, and is subject to change at any time.

Well, yes, but if someone’s got access to your laptop, they can just drop a keylogger that captures the password before it goes through any hashing process. The security threat model of Discourse (and every single web application) includes the stipulation that the endpoint is not compromised.