User API keys specification

I find allowed_user_api_auth_redirects default of “discourse://auth_redirect” rather restrictive, especially because “discourse” does not appear to be a valid URI scheme.

Please explain the thinking behind this default. Thank you.

I am having this issue as well. If I initiate the API from a JS application, then automatically the allowed headers are: User-Api-Key, User-Api-Client-Id even though I do not need user API keys. All I want is a simple API key but I cannot get anything to work. If I try to pass Api-Key in the headers I get a CORS error since it expects User-Api-Key. But when I try to use User-Api-Key, I get 403 errors. I am stuck. I would think this is the base usage for using the APIs. I am not trying to do anything out of the ordinary. I am simply trying to create a new topic post.


That is the custom URI scheme used by the DiscourseHub app for iOS and Android.


I’ve got a question concerning the “read tokens” and “write tokens”. This comment here is from 2016, so this possibly had already been changed? Or are the defaults still only “read tokens”?

Background: I’m one of the coders behind a distributed social media system. We already do have connectors to non-federating systems. The idea is to write an addon for discourse as well. But when most likely most system won’t allow users to generate tokens that allow posting, we will try another way. We already do have a mail connector. Then we will simply use the mailing list function of Discourse and we will try to enhance the returned content and will post via SMTP.

You can do write tokens if you ask for the scope upfront


Of course this is always possible. But I have the feeling that this is a support nightmare. Our software has got some hundred installations with (in total) more than 10k users. When they see that there is an addon that is connection to Discourse, many will surely like to use it. And since it most likely won’t work out of the box, this will generate questions and support work from our side. Additionally it will generate work for the admins of the several Discourse installations. And very likely not all will allow it - which will cause frustration.

So possibly at first I will focus on integrating the mailing list mode mails. Or is it possible to combine these two? Means: Reading of the posts via the API, but posting via SMTP?

Hi…I don’t know to generate public_key… should I use RSA generator to get public/private key?
If so I have done with some online RSA generators. but I am getting this error:

OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key: nested asn1 error) /var/www/discourse/app/controllers/user_api_keys_controller.rb:189:in `initialize'

Also, I want to ask you guys if this suits my user case:
I have an app, and I want to basically authenticate user and get the username, is generating api key flow the simplest flow for me to validate user’s login in my app? If possible, I want avoid SSO because it seems more complicate.

Same boat here, although I am only trying to use User-Api-Key (not Api-Key) to create a topic post and am getting CSRF denial from the actionpack library.

Unless the discourse server has turned off CSRF checking, posting from a third-party desktop app seems hard. I’m not about to emulate a browser.

@sam What is your take on allowing User API Keys that only have the read scope attached, to be passed via URL params on GET requests?

Use case is allowing integrations like subscribing your Improved Bookmarks with Reminders in Google Calendar using User API keys.


How about creating a specific new scope, with a third parameter to indicate “get param allowed”. That way, people can’t misuse it for other things (e.g. bypassing CORS and requesting the discourse API from another site).

(from here)

    read: [:get],
    write: [:get, :post, :patch, :put, :delete],
    message_bus: [[:post, 'message_bus']],
    push: nil,
    one_time_password: nil,
    notifications: [[:post, 'message_bus'], [:get, 'notifications#index'], [:put, 'notifications#mark_read']],
    session_info: [
      [:get, 'session#current'],
      [:get, 'users#topic_tracking_state'],
      [:get, 'list#unread'],
      [:get, 'list#new'],
      [:get, 'list#latest']
+   calendar: [ [:get, 'users#bookmarks_cal', true ] ],

(Aside: why are we using nested arrays here…)


I like that the API key would be flagged explicitly as “allowed in GET” at the user level.

As a whole the option could be open for any GETs. The rule I like is, when operating in this mode:

  1. User API key is 100% restricted to a single specific GET controller action
  2. User API key is flagged as allowed in GET query params.

This limits the impact of any leak here via a proxy cause the key will never be reused.

I guess {get: 'list#new'} , {get: 'list#latest'} would work as well.


I’m super interested in get param only type user api keys. My question is, are you guys planning to allow people to generate these keys via UI?

Probably, maybe behind a site setting or with a plugin. We do plan to normalise the feature set a bit so admin api keys also support scopes.


Hi…Are you able to resolve this issue? I have the same issue and not able to fix it. I tried passing different type of keys and nothing worked. Any help would be greatly appreciated.

Are there any libraries for this? If not, an example implementation? I’m trying to use PHP to identify a user’s Discourse account on a separate portion of the website. This seems like a modified OAuth flow but I’m a bit confused on how to implement this.

Specifically, I’m not sure how to do the whole public/private key generation.

Is there a way to just do OAuth 2 with Discourse as an OAuth provider?


Did you succeed in this using the User-Api-Key? I’m also getting a You are not permitted to view the requested resource

1 Like

I figured out what I did wrong: The returned payload is not the UserAPI key itself, but an encrypted JSON string, that would need to be decrypted with the private key of the private/public keypair.


EDIT: I’ve been able to get most of it to work, and will provide a description once I’ve got it fully working.

How does the client get the private/public key pair and id?

Are you able to provide code for getting the user api key with a javascript app? (A javascript app trying to allow a user to make API calls to a discourse forum).

I am getting 403 errors. Or, an error saying: Sorry, we are unable to issue user API keys, this feature may be disabled by the site admin (even though my site has checked: Allow generation of user API keys).

I think the issue could be how to generate the private/public key pair (how is that done?), and then handling the redirect.

Any code is appreciated.

I have gotten this to work, after some trial and error.

Here are the basic steps that I follow when: I have a separate app that I have coded, and I want users to be able to use that app to make API calls to a discourse site.

To do that, I need to generate a per-user API token to make calls on behalf of each specific user (at least in a nodejs/javascript environment).

Note that for the javascript side of things, I found the code that @KengoTODA provided here: discourse-api-key-generator/index.ts at main · KengoTODA/discourse-api-key-generator · GitHub to be very helpful.

Here are the steps I’ve followed:

First: Generate a public and private key pair.

This is something your app needs to generate–a public key and a private key. The github gist provides one method to do this.

Second: Have a redirect URL.

This is the URL discourse will redirect to, providing the final API token in the payload. If you have a desktop app (ie, doesn’t have a browser URL), the redirect URL will be based on a custom protocol you set up that opens the app when the redirect URL is entered in the browser.

Note that the redirect url needs to be whitelisted on the site settings of the target discourse site.

The discourse site also likely needs to have the site setting checked for “Allow user api keys”. See the original post on this topic for “Site Settings”.

Third: Send the API request call to the discourse request url.

So your app will send a call to a url that follows this form:

https://[your target discourse site .com]/user-api-key-new"

and adding as parameters:

  • your app name
  • you “client_id” (I was able to use hostname(), from const {hostname} = require('os') for a desktop app, just like in the github gist referenced above)
  • scopes (this is the scopes that you want the user to be able to do through the api, like “write”, “read”, etc)
  • your public key (from step 1 above)
  • your redirect url (from step 2 above)
  • nonce (this is a value you can choose–like just using ‘1’ seems to work)

Fourth: User authorizes your app on the discourse site page that is opened by the request url

When you send the request url successfully, it opens a page on the discourse site telling the user your app wants to access the site.

On that page, there is a button for the user to allow this. When the user clicks this button, the discourse site redirects to the redirect url you provided, and attaches as a param a ?payload=[the API KEY]. The API KEY here is the key you need to decode in your app.

Fifth: Your app picks up the redirect url value (with payload value), and you decode the API KEY

You’re almost there. Your app needs to parse the redirect url that discourse went to, and get the API Key contained in the payload.

Once you have that API Key, you need to do two things:

  1. Get the actual key, not the URL encoded version: if you are getting a param from a url, it is often url encoded (adding % here and there, etc.). You need to clean it up. In javascript, I have found decodeURIComponent to work for this.
  2. Once you have the cleaned up API KEY returned from discourse, you need to decode it. To do this, you can use javascript decoding with private keys. Basically, you use your private key (generated in the first step above), and to decode the cleaned up API KEY. There is some example javascript in the github gist I referenced above: discourse-api-key-generator/index.ts at main · KengoTODA/discourse-api-key-generator · GitHub

After you run your decoding code, you have the token itself, which you can now use to make authenticated API calls on behalf of the user.

Sixth: Use the token (ie, the final, cleaned up, decoded API Key) to make api calls on behalf of the user

With that token, it appears you don’t need to enter the user name in the api call. I find the following header to be sufficient when you include it in your GET, POST, PUT, etc call:

headers: {
"User-Api-Key": [the token]

And with that, you hopefully have a working per-user authentication method to interact with discourse.


What are the security implications of adding things to allowed_user_api_auth_redirects? I have someone asking to add a string in order to support NextCloud integration.