When calling user-api-key/new with a client_id that is already used by another user the forum will throw a RecordNotUnique error and silently fail on an internal server error.
This might want to fail with something less silent informing the user that there already exists an API key with that client ID.
Though that brings me on the second question, are User API keys supposed to behave like that? Is the client ID supposed to be unique between all users?
Thank you for reporting this, I have a couple of questions though in order to help me look into this.
Can you provide a basic repro for this so that I can debug this locally? What is your use case for user-api-keys? Are you using the discourse hub mobile app or something else?
The first and repeating authorization will succeed as the first user, when using it again for another user without changing the client_id it will fail.
User API keys are used for allowing the user to use their forum account in the game client, so they’ll be able to post from ingame. We also have lot of users using them to authenticate with forum accounts to their own websites.
Whereas the client ID should be unique for the game clients, so each client is listed as seperate client in the apps screen. For website usecase you’d want to have one client ID so not each login is listed separately.