I wouldn’t see each user requiring a separate key no… One admin key should do what I need.
I can consume the api no problem through postman. For example a GET to /notifications.json?username=alanmurphy returns the data no problem using just api-key as a header.
If I trigger that request from the console of a discourse installation I get data back no problem also i.e.
var xhr = new XMLHttpRequest();
xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
console.log(this.responseText);
}
});
xhr.open(“GET”, “https://**********.com/notifications.json?username=alanmurphy”);
xhr.setRequestHeader(“api-key”, “d06ca53322d1fbaf383a6394d6c229e56871342d2cad953a0fe26c19df7645ba”);
xhr.setRequestHeader(“api-userame”, “system”);
xhr.send();
All Good:+1:
However, if I do this from the sub-domain I am wishing to contact discourse from, it tells me that it has been blocked by CORS policy: Request header field api-key is not allowed by Access-Control-Allow-Headers.
The allowed headers are:
Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id
If I could just get guidance on what auth params to pass for cross origin requests and where to get them that would be very helpful.
Ps. My discourse is set up to allow Cross Origin requests from the domain so I believe it is purely a headers issue
Thanks