XF 2.2 do_not_have_permission error when requesting to modify a post


I implement the code below for thread change. The API key is Super user and with full permissions but I get a do_not_have_permission error
// Set the API endpoint URL
$endpoint = '';

// Set the API key and API secret

// Set the request parameters
$params = array(
    'title' => 'This is a test comment',
    'prefix_id' => 1,
    'discussion_open' => 1,
    'sticky' => 1,
    'username' => 'admin',
    'tags' => 'test',
    'message' => 'This is a test comment',
    'user_id' =>  1,

$apiKey = '*************************';

$headers = array(
    'Content-Type: application/x-www-form-urlencoded',
    'XF-Api-Key: ' . $apiKey,

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

echo ($response);
Thanks for any help
The developer docs go into a little detail on that:

If the API key selected is a super user key, you may pass the user ID of the context user via the XF-Api-User header. If no user ID is passed, the context will default to a guest.

Basically, your API key can access any scope of the API, but it has the permissions of a guest user when executing those API requests. You can pass a XF-Api-User in the header with a user ID of an account with the permissions you need (I think it's also needed if you're doing post commands, so the correct user is associated as the author), or you can bypass the permissions with a parameter api_bypass_permissions set to 1 in your request body, to perform the action you need.

Generally, for API keys meant exclusively for deleting content, I'll usually just create the key and link it to a super administrator user instead, then set the scope accordingly. I generally try to avoid using a super user key by default - so far I haven't really needed one.
Top Bottom