User API keys specification

What are the security implications of adding things to allowed_user_api_auth_redirects? I have someone asking to add a string in order to support NextCloud integration.

Open redirects tend to make people nervous, in this case if you add say nextcloud, it means that people will be able to use a url on nextcloud to generate a key on discourse and then redirect back to nextcloud.

1 Like

On Step 6, what API call are you specifically referring to?
Or if anyone else knows please answer!

The API calls referred to in step six are whatever calls you want to make. That is just referring to the calls that do the thing you actually want to do with the discourse site.

In my case, I had a separate app that would interact with a discourse site - doing things like creating posts on the discourse site based on action a user would take in the separate app. The app would log in the user, the user would do some stuff, and then the app would make POST and PUT api calls to create / edit discourse posts from that user.

I see. In my case I just want to make it where a user logs in on my website does the Discourse authorization then redirects back and then my website can just read their username,email,avatar,id etc and create a new user on our site. @JQ331

Then you’re in the wrong place, you cannot use the User API keys for this.

Instead, you will need to configure Discourse as the DiscourseConnect provider and your website as a DiscourseConnect client. See Using Discourse as an identity provider (SSO, DiscourseConnect)

1 Like

I’m right in saying for something like that I am going to need access to the site’s secret key?

There is no thing as “the” secret key but you will indeed need admin access to Discourse in order to configure this.

Hi, I tried to implement this user api key, but it seems it has API rate limiter. I got 429 after few API calls. Any configuration for this? I use paid hosting.

Here is more information about rate limits.

If you are hosting with Communiteq then please contact our support desk via your control panel to get this set up.

Hi @RGJ , thanks for the reply. My company has the Standard and Business plan but I cannot see support desk in control panel. Instead I emailed to is that correct?

1 Like

If you’re hosted with us at Discourse (rather than with @RGJ at Communiteq), that is indeed the correct way to get in contact with our support team. :+1: :slightly_smiling_face:

1 Like

I am writing an application that consumes this api.
Is there some way to get the user’s info (username, mostly) from this?
Or do I need to ask for the username manually, and then request it later?

Welcome, @gilice.

You don’t mean that you’re consuming the API to get api keys, but that you’re trying to do something with users?

This might help Reverse engineer the Discourse API.

But if you’re trying to get a user’s username, one way to do it is search the email address on the admin/users route.

It would help if you say what you’re trying to do.

Hey! Thanks for the reply, I should have maybe phrased it better.
The question I wanted to ask: I can get the API key belonging to an user. Then, can I get the user’s profile (username, profile picture, etc) without asking for their username and using the getUser method?

I’m unclear on how this would work. Where do you want to get the API key from? As you can see in the flow, the user needs to log in to get a key in the first place, and they need their normal login information for that. Can you explain more what you’re trying to do?

1 Like

Hi Everyone,
In my application, I am using user API keys to achieve some of the Discourse functionalities. I have by mistake authorized the login (using the /user-api-key/new API) with the wrong Discourse account.

I have revoked access to the app from the wrong Discourse account. However, when I try to authorize using the correct Discourse account I am getting an error. When I looked into the logs, I found the below error

ActiveRecord::RecordNotUnique (PG::UniqueViolation: ERROR: duplicate key value violates unique constraint “index_user_api_keys_on_client_id” DETAIL: Key (client_id)=

Based on the error, I assume we could not associate 2 user accounts for the same client id.

Is there any way to overcome this problem?

Also, is there any API to update the client_id of a user API key even when the API key is revoked?


1 Like

What exactly does that mean?

I’m writing a application that requests data on behalf of a user via user-api-key. The aim is to avoid rate limiting problems. When exactly runs the app into rate limiting problems?

I think you are looking for something like this:


Yup! That’s what I wanted. Thanks a lot!!!