User API keys specification

Discourse contains a system for generating API keys per user if a very specific protocol is followed. This feature facilitates “application” access to Discourse instances without needing to involve moderators.

High level description

At a high level:

  1. Client (desktop app, browser plugin, mobile app) generates a private/public key pair and return url

  2. Client redirects to a route on discourse giving discourse its public key

  3. Discourse gets approval from user to use app

  4. Discourse generates a user api key

  5. Discourse redirects back to return url with an encrypted payload using public api key containing the user api key


Use cases:

  1. Desktop applications that poll Discourse sites on behalf of end users to get notification counts across multiple sites.

  2. Mobile applications that poll Discourse sites on behalf of end users and handles push notifications

  3. Web applications that provide a dashboard for end users about various Discourse sites.

  4. Custom integrations with 3rd party apps that consume Discourse as part of a general company app. Eg: integrate Discourse community notifications into hopscotch app.

The design:

Site Settings

  • allow_user_api_keys: default on (allow users to generate api keys)

  • allow_user_api_key_scopes: allowed access scopes for user api keys. Defined here

  • min_trust_level_for_user_api_key: 0 (require this trust level for api key access)

  • allowed_user_api_push_urls: list of sites that can be targets for push notifications

  • allowed_user_api_auth_redirects: allowed redirect destinations after user api key generation

Global Settings

  • max_user_api_reqs_per_minute: 20
  • max_user_api_reqs_per_day: 2880

UX elements

If any user api keys have been granted, Discourse displays an apps tab in the user page.

The apps tab will list:

  • The name of the application eg: (“Discourse Notifier”)
  • Last use date
  • Approved date
  • List of access scopes granted
  • A revoke access button so you can easily revoke any keys

API Key authorization UI

Every key will have to be explicitly authorized by end users in a page that clearly explains what is going on, for example:

“Discourse Notifier” is requesting the following access to your account:

  • Read and clear notifications
  • Read user session info
  • Create a one-time login token


API key generation flow

API only requires a single GET request on the user’s end.


  • auth_redirect: url to redirect back to with the generated token
  • application_name: the name of the application making the request (will be displayed in the user account’s Apps tab)
  • client_id: a unique identifier for the client
  • scopes: comma-separated list of access scopes allowed for the key, see allow user api key scopes for the full list of available scopes
  • push_url: url to push notifications to (required and valid only if push or notifications are included in the scopes)
  • public_key: the public part of the keypair generated by the client

After /user-api-key/new is called with correct params 2 things may happen

  1. If user is not logged on, we will redirect to login (after login we will resume authorization)
  2. Once a user is logged on they will be presented with the authorization UI

After authorization is allowed, system will redirect back to the URL defined in auth_redirect and include a single encrypted payload parameter containing the generated user API key and, if requested, a one-time login token. client_id is not echoed back for extra security.

Checking API version

The use key API in Discourse is versioned. Clients can check a Discourse site’s API version by making a HEAD request to The response will contain a header named Auth-Api-Version containing the version number of the site’s API.

Consuming the API

Consuming the client API will be somewhat different that the current admin API.

Client can specify 2 headers:

User-Api-Key (required): the key that was generated


User-Api-Client-Id (optional): supply this to update the ‘client id’ stored for this api_key in the database.

Once those headers are specified client can perform requests against the API just as they would normally.

Generating a one-time-login password

As of version 4, the API includes a special scope: the one_time_password scope, which allows clients to use the user API key to generate a one-time-password. If the client includes this scope when generating the API key following the steps above, a one_time_password will be included in the encrypted payload.

Alternately, the client can make a GET request to /user-api-key/otp with the following parameters:

  • auth_redirect
  • application_name
  • public_key

and with the User-Api-Key header.

This request will redirect to a screen in Discourse that will ask the user to allow the application access to the site. If the user approves, the site will redirect back to the URL defined in auth_redirect and include an encrypted payload with a one-time password which the client can use to login to the site by requesting (The one-time-password is only valid for 10 minutes.)

Revoking API keys

To revoke an API key, make a POST request with the User-Api-Key header and no params to /user-api-key/revoke.


There are places I’ve strongly considered writing a delayed post tool, so I can compose a bunch of “word of the day” type things to keep going while I’m on vacation. Doing it without proper API access and pretending to be a browser seems somewhat more complicated than on other forum software.

(Just as an example of another use case.)

That is a good example, but keep in mind, our default will be only to enable read tokens, not write ones. Site admins will have to opt to allow write tokens.

Completely agree that the _t cookie hacks are a huge problem.


Does max_user_api_calls_per_key_day setting apply to admin-created keys at /admin/api?

Nope only to user api keys, we can look at adding extra limits for standard Api keys, it is a good safeguard

1 Like

To be clear, this is not implemented yet, correct?

No, it’s there (for almost 2,5 years now) - Admin - Settings - User API.


As of Discourse 2.1 these user api keys now auto-expire if left unused for long periods of time, correct @sam?


Correct the site setting: expire user api keys days is set to 180 out of the box.


Okay, but you have to have admin access to see that page yes? And as an admin, it seems I can only create 1 key, so can’t create many keys for different users. confused.

What are you trying to accomplish? It’s not clear because there is this (user api keys) and regular API tokens (which is what I think you are after) that admins can create for multiple users, but you have to do that from the individual user’s page inside of the admin dashboard by clicking on the “generate” button on the “API Key” field.


Thanks! Yes, “regular API tokens” for users is what i was after. I’m sure I’d seen that a million times, and never realized it was there. :heavy_check_mark:


Hey everyone I’m not sure if this was resolved? I see that it’s possible to create an “All Users” and (per user) level API token as an admin, but I’m interested in giving a user the power to generate his/her own token. Has there been work done on this? It sounds like the original thread was getting at this idea, and then it was lost. Thanks!

Download the mobile App and then add a site, that uses the user api key system you have to follow a very strict workflow, no plans to expose arbitrary generation of keys in user prefs

1 Like

Thank you! I downloaded the app, and then realized that the sites I belong to don’t have this enabled (I’ve been testing on my local machine with the Dockerized discourse). Just to make sure we are talking about the same thing - I’m interested in generating tokens to use just a scoped subset of functions (and not global API keys to do all the things). Is this what you are talking about?

It seems like, given that there is an endpoint to generate tokens, it would be logical to provide this function (to users with a certain trust level, for example) from within the site. Otherwise, it would need to be the case that the site generates some external page (with a server to hide an admin token) to generate the keys for the user. Is it the case that 1. there is no internal generation of tokens for the user (and why not?) and 2. Nobody has created some external app (javascript, flask, anything really) to perform this action?

1 Like


Possibly, conceptually

  1. This is tricky to consume cause you need to use custom HTTP headers (by design)

  2. It would be very hard to educate even TL3 users about what the point is of this thing.

I prefer not to ship UI for this in core, but maybe you should write a plugin for your specific use case?

Can you explain a bit more about the “why” here?

The design of the system centers around “I have an external dedicated program”, “this program knows how to follow Discourse protocol”, “It asks for token”

API keys (non user ones) are much easier to consume cause you just append them after the ?


Can I pass the API key generated from the user page on this? I was trying to use that API key and seeing ‘You are not permitted to view the requested resource.’ error on /categories.json API request

Hi guys

Apologies if this is duplication but I am having trouble digesting the steps there even though they are very well put together

I have a discourse installation on and a site on from which I need to make calls to the discourse installation to pull and set some data.

All requests work from postman with Api-Username and Api-Key - no problem

However for cross origin requests using JS discourse doesnt allow the Api-Username leading me down the path of the flow described in this thread i.e. using the User-Api-Key and the User-Api-Client-Id

I basically require a description of paramaters PUBLIC_KEY,NONCE,CLIENTID used in the sample request below and where I can get them…

Finally will this flow allow for seamless api requests from my to without the need for authentication.

PS I have SSO set up between the forum and the site from which the requests are being made so the user will be logged in…

Thanks for any guidance

One sec, is this a per user thing? Are you allowing arbitrary users to do this?

Our server API supports header based auth these days so it can work with CORS just like the user api keys do. You would use the user api keys if you want to restrict scopes and allow end users to generate the keys vs admins.

1 Like

I wouldn’t see each user requiring a separate key no… One admin key should do what I need.

I can consume the api no problem through postman. For example a GET to /notifications.json?username=alanmurphy returns the data no problem using just api-key as a header.

If I trigger that request from the console of a discourse installation I get data back no problem also i.e.

var xhr = new XMLHttpRequest();
xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {
});“GET”, “https://**********.com/notifications.json?username=alanmurphy”);
xhr.setRequestHeader(“api-key”, “d06ca53322d1fbaf383a6394d6c229e56871342d2cad953a0fe26c19df7645ba”);
xhr.setRequestHeader(“api-userame”, “system”);

All Good:+1:

However, if I do this from the sub-domain I am wishing to contact discourse from, it tells me that it has been blocked by CORS policy: Request header field api-key is not allowed by Access-Control-Allow-Headers.

The allowed headers are:

Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id

If I could just get guidance on what auth params to pass for cross origin requests and where to get them that would be very helpful.

Ps. My discourse is set up to allow Cross Origin requests from the domain so I believe it is purely a headers issue