Unable to create "Single User" level API key, always defaults to "All Users"

Replication steps:

  1. open https://yourdiscoursedomain.com/admin/api/keys
  2. select new key
  3. choose “single user” as the user level
  4. Create the key
  5. Open key details after creation
  6. The user level will be “All Users”

It is very unclear to me what the difference between the two user level options is, but this seems to pretty clearly be a bug.

(I am using the hosted discourse service)

Did you also select a user to create the API key for?

Mostly an “all-user” api key is what you want. For some things, most notably using discourse_theme, a user key is required.

What are you trying to do with the API?

1 Like

I can reproduce the issue if I follow the steps you have listed. When creating an API key for a single user, Discourse expects a username to be added to the form’s User field:

If ‘Single User’ is selected as the User Level, but no username is added to the User field, an All Users API key is created. I would expect an error message to be displayed instead. Similar to what happens when the form is submitted without a description.


I wanted to create a sort of “bot” user for retrieving posts from specific categories. This discourse instance has authentication from GSuite only, so there isn’t a way of creating arbitrary users anymore. I had hoped that for a “Single User” key it would let me enter the new username I wanted to assign bot, but now I see that the username must be an existing user. The username form field has no validation so it was not clear that I could not enter in just any name (like I would do for slack incoming webhooks for example). It then silently fails on submission when looking up the username I entered and creates an All Users key instead.

I suppose this is more of a usability bug than functional. I found the documentation here confusing as it did not explain the User Level field at all and there was no mention of an “All Users” type besides one instance in a comment farther down the thread.

An all user API key would work unless you want the “bot” not to be able to read some categories.

Is this your username selector component @joffreyjaffeux?

No this is not a select-kit component. The issue is that we check only on description being present not on username. The userMode (single/all) is only a client side value, so when the model is validated server side, all it knows is that we requested a key and that we provided a user or not.

That should make it better, will ask david to review: