Global API Key

junaid

I want to create an API Key that multiple users will use

I have a main web app (www.project.com) and a flarum app (www.project.com/community)

I've successfully implemented SSO between them.

I want to display flarum notifications on user dashboard on the main web app. I created an API key, inserting a key and admin's user id.

The API + Notification fetch works fine on admin account. However, it doesn't work on other user's account.

junaid

Any suggestions @luceos ?

junaid

@clarkwinkelmann suggestions?

huseyinfiliz

I don't think using the Flarum API key this way is a logical approach. Instead, you can create an extension and develop a custom API for yourself.

Also, these users are already logged in, so why are you using an API key? The Notification API can be used by each member to view their own notifications.

junaid

huseyinfiliz yup. Took me some trial-error to figure this out

luceos

You can create an API master token, the process is documented in this php api library: https://docs.maicol07.it/en/flarum-api-client (under configuration). This token can be used to authenticate on behalf of anyone; use it with core, don't commit it to your repositories and don't share it.

huseyinfiliz

luceos I used this, but are you sure it will work for members to retrieve their own notifications? Won't an API token still be required?

luceos

huseyinfiliz the master token acts as a replacement to the user Bearer token, eg Authentication: Token <masterToken>; userId=<userId>. This allows the api to then act on behalf of that user. The app that interacts with the API will need to know user Id's though.

Reference: maicol07/flarum-api-clientblob/eee853aaa8648e706e9875160fad024725f51fee/src/Client.php#L99

huseyinfiliz

luceos I still don't understand. When we manually create a token in the database, it is still linked to a specific user. When I start a discussion using this API, it creates the discussion under the user associated with the manually created token in the database.

I’m wondering what I’m doing wrong here.

SychO

huseyinfiliz

If a user_id value has been set for the key in the database, userId= will be ignored. Otherwise, it can be set to any valid user ID that exists in the database.

https://docs.flarum.org/rest-api/#usage

junaid

@huseyinfiliz @luceos thanks for your suggestions 😃

I found a solution:

I'm using this SSO extension. During login, I save the flarum session token.

I use the session token + cURL on /api to fetch unreadNotificationCount

`
public function fetch_community_notification_count()
{
// 🔹 Get the session token from cookies
$sessionToken = $_COOKIE['flarum_community_token'] ?? null;

    if (!$sessionToken) {
        return json_encode(["error" => "User is not logged in"]);
    }

    // 🔹 API URL for fetching forum details (includes unreadNotificationCount)
    $apiUrl = "{$this->communityApiBaseUrl}";

    // 🔹 Send cURL request with session token
    $response = $this->send_curl_request($apiUrl, $sessionToken);

    if (!$response) {
        return json_encode(["error" => "Failed to fetch user details"]);
    }

    // 🔹 Decode response
    $forumData = json_decode($response, true);

    // 🔹 Check if "actor" (logged-in user) data exists
    if (!isset($forumData['data']['relationships']['actor']['data']['id'])) {
        return json_encode(["error" => "Failed to retrieve user ID"]);
    }

    $userId = $forumData['data']['relationships']['actor']['data']['id'];

    // 🔹 Search for user data in the "included" array
    foreach ($forumData['included'] as $included) {
        if ($included['type'] === 'users' && $included['id'] == $userId) {
            return $included['attributes']['unreadNotificationCount'] ?? 0;
        }
    }

    // 🔹 If user not found, return 0
    return 0;
}

Let me know your thoughts 😃

huseyinfiliz

SychO Was setting the user ID to null enough? 🙄 I wish I had learned this months ago...

SychO

huseyinfiliz Was setting the user ID to null enough?

Yup, once you do that, you can pass userId= with the request header