Use an invite code to bypass new user approval?

you can think of some variation of the invitee email which would be hard for spam-bots to guess. e.g. if your email is, then the invite code can be simply stephan.tester123!

everyone know their own email. don’t they?

Creating unique codes per-invite would require you to have internet access, no? If not then it’s something you can brute force.

It wouldn’t bypass the need to verify email, there is no substitute to sending an email to a mailbox and having the recipient follow a link or enter a received code, that’s why it’s still done everywhere.

a unique code per user name is enough, not per invite.

yes, I can see the problem with the verification email. the main idea was about being able to gamify the invites and use the credit, bypassing the email was just a suggestion coming up from the fruitful discussion, which is really not applicable.

I think what is misleading is the term “invite”.

All accounts need a username and a valid email address. Typically a member supplies these when they register.

It sounds like what you have in mind is more like a “pre-registration” where you supply the username and email address and they follow a link to activate the account.

I guess this could be done but I don’t know how things could be worked out to give you “invite” credit.

Isn’t this possible with bulk invites plugin @techAPJ?


Yes, that is correct.

@Pad_Pors I think this is closest to what you are looking for?

Using the above plugin you can simple hand out invite tokens to the people without needing to invite them manually.


cool thanks :+1: , just to understand it clearly: using the plugin:

  • admins can create several invitation-keys for users.
  • each key works for a particular email.

is it working like that?

though not necessary, I think one can think on a simpler routine where trusted-users can invite others and get the credit.

I agree with @Stephen that the invitation buttons are great, but at least in our community (which is still young) people prefer to use word of mouth rather than a button!

hey! there is a community here you will enjoy being part of!

now imagine this dialogue:

hey! there is a community here you will enjoy being part of. if you come, tell Samuel has introduced me! this way you’ll be trusted simpler from the beginning.

Yes, admin can create (generate) several invitation-keys (invite tokens).

No invite tokens are not linked/restricted to an email. While redeeming/accepting the invitation user has ability to provide email and choose username.


I followed the plugin discussion, and seems to me the plugin is not doing much in the favor of a simpler invitation process to be used in conference cases:

What this particular use case is reusable invites perhaps with a limited time frame. Then you could flash your url on a slide and people could copy it and do what you want.

The other solution is to allow users to request accounts, but that won’t give users credit for the invites.

OMG @codinghorror , I am needing this so much today.

I need to invite 50 people to a forum, I do not have their emails, I just want to share a code in a whatsapp group and have them all join.

As it stands there is absolutely no clean way of doing this. Since this is rather urgent for me I will hack something rudimentary up today.

I am thinking

requires approval : true
auto approve code : default empty, if anything on signeup user is prompted to enter approval code, if it matches, user is auto approved

This means I can share that 12345abc is the approval code to the forum on my whatsapp group and people can share within the circle. Once forum is seeded with enough users it can move to the more secure / controlled manner.

This is not about credit in my mind, far more about being able to semi securely seed a forum with lots of users quickly from another medium.


So this is about invite only / all users must be approved by staff sites? The title of this topic is badly broken if so, let me fix that now.

I don’t have any objection to this in terms of bypassing invite / approvals.


OMG indeed! I don’t know how it’s taken this long to explain this to you guys. It was a problem for me from my very first time using Discourse five years ago. I don’t know if I posted about it then, but I have seen this question a bunch of times since then. I needed it again for a client last fall and I didn’t bother to ask.

It’s great that this will get solved!


You didn’t address the topic at all, though.

In order to join any Discourse instance ever created, users must have an email address. How else can users create a Discourse account? Via passenger pigeon? Telegraph? Smoke signals? Fax machines? :bird:

This is explicitly about sites with “staff must approve all new users” set. It’s a really narrow condition, since I view the Discourse default in the wild as open user signup …

I’m sure that I’ve seen the exact example that Sam just described multiple times. You have a community that you want mostly private. You don’t know people’s email addresses,but have some other way to communicate with them.

I know I’ve used the example of wanting to invite people to join a private forum at a conference by sharing a URL and a code or password on a slide as an example.

Yes, it’s is an edge case.


Try re-reading the first post which mentions none of this.

Generally all you need to do is say “go to and sign up!”

This certainly addresses the OP, longer term we can make this per user if this takes off but for now a single code will do.


I cannot really support this unless the code grants the new user a free staff approval. Otherwise it feels a bit… insane and totally random?

1 Like

The idea is that this feature is used instead of staff approval. (it could be used if you also were concerned that lots of bots would request accounts, but that does seem unlikely)

Replace “username” in the OP with “invite token”. Does that make sense?

No, because the first post :arrow_up: in this topic was about users signing up with no email address at all.

How can such a user, with no email, ever reset their password, for example? Or even confirm their signup as valid?

I was the one who fixed the topic title, check edit history on that first post.

1 Like