XF 2.2 API Superuser VS Admin


New member
Just curious:
If I create a SuperUser-API-Key, the API will not let me DELETE threads or POST to users ... unless I additionally send XF-Api-user (Administrator) with the headers.
"errors": [
            "code": "do_not_have_permission",

Shouldn't the SuperUser-API-Key be enough if it has all the permissions?
If I create a Key based on an Administrator with all rights and use this, no XF-Api-user header is neccessary.


XenForo developer
Staff member
This is expected as the super user key lets you control the user you access the API as, but there's always a user behind everything. If you don't tell us one, it'll be a guest and thus, by default, you'll have the same permissions as a guest.

This is covered in the docs, as well as the (optional) method for bypassing permissions when using a super user key:

If the API key selected is a super user key, you may pass the user ID of the context user via the XF-Api-User header. If no user ID is passed, the context will default to a guest.

If the request is made with a super user key and you wish to bypass the context user's permissions, this may be done on a per-request basis by setting the api_bypass_permissions parameter to 1. (This can be passed via a query string or as part of the request body.)