XF 2.1 REST API

Welcome to another HYS for 2.1 and this one's a biggie. If you haven't seen the previous entries about what's coming in XF 2.1, check them out here.

Although Halloween may be over, why not trick the "Watch forum" link into giving you a treat, by getting it send you an email whenever we post about new things in the pipeline.

As I write this, our most popular suggestion was a REST API and with 2.1, it's here. While this is a fairly developer-focused feature on its own, it opens up many more integration options. This will make it easier to get data into or out of XenForo, without having to understand the underlying PHP framework that XF is built on.

The API breaks down into a few distinct components, so let's look at those in turn.

 

[Diesan Romero]

You can use another language to use XenForo API? Any modules for NodeJS?

 

[Aayush]

You can use another language to use XenForo API? Any modules for NodeJS?

It's an API which you can access over HTTP. Use 'request' package in nodes to hit the REST API endpoints directly for your needs.

 

[NicolasZN]

Is there an api endpoint to post an alert for a user?

Wondering if this is possible still.

 

[Paul B]

The endpoints are documented here: https://xenforo.com/community/pages/api-endpoints/

 

[kahovn]

Hi,

Want to call api by postman tool? So, how input parameter for api key seting?

Thanks

 

[wasif]

Hi,

Want to call api by postman tool? So, how input parameter for api key seting?

Thanks

Just add "XF-Api-Key:YOUR_XF_API_KEY" and "XF-Api-User:USER_ID" in header

 

[kahovn]

Just add "XF-Api-Key:YOUR_XF_API_KEY" and "XF-Api-User:USER_ID" in header

Thanks you so much @wasif

 

[Georgsius]

Hello,
With api I want to make new posts and threads not from users, but from guests. How can I do that? If I make new guest key from admin panel, how can I select name for that guest?
Is it possible to allow guest posting from rest api and disallow guest posting from web interface?

 

[donwon]

API keys

All API access requires authentication using a key. Keys can only be created in the control panel by a super administrator. Because the ability to create an API key is very powerful, simply accessing the keys may require an additional password check. This is similar to GitHub's "sudo mode".

When accessing the API, you will always be acting as a particular user. This will be used to know who is creating content or what permissions to use, though there are some exceptions to this which we'll get into later. Therefore, there are three types of API keys:

1. Guest keys. This will only be able to access data that a guest can access. To emphasize, a key must still be created, even for guest API access.
2. User keys. These keys are tied to a particular user. All actions (such as creating a thread) will be attributed to this user and their permissions will be taken into account.
3. Super user key. These are the most powerful keys, and can access the API as any user and bypass the user's permissions if needed. These keys are primarily designed for complex integrations. For example, you may integrate with a third-party CMS that creates a thread whenever you post a new article. This type of key would allow you to create a thread with a different user depending on the article author or in a forum that users normally can't post in.

Super user keys (or user keys attached to privileged users) are very powerful, so it is important that you protect any created API keys so that they can't be used in unexpected ways, such as by bulk deleting threads or even whole nodes.

To help limit the amount of damage that could be done by a compromised key, every key has a set of allowed scopes:

View attachment 186717​

This screenshot only shows a few of the available scopes. Each content type or action exposed by the API will be covered by some sort of scope. For example, threads and posts are covered by distinct scopes to limit reading, writing (creating/updating/soft-deleting) and hard deleting. For security, you should only give a key the API scopes that you intend to use.

No API key can take a particular action unless it has the relevant scope. For example, if you have an integration that needs a super user key to post a thread, then you would want to give it thread:write (and likely thread:read as well), but you wouldn't want to give it node:delete or user:delete.

(For those of you keeping score, API scopes are what's using the entity relation values via closures change as discussed on Tuesday. The type:action convention is in various APIs, so it made sense for us to use it too but that isn't valid as a phrase name.)

To further aid security, whenever an API key is generated or modified, all super admins will be sent an email.

Now that we have an API key, we can start to access the API...

One of our advertisers was wanting a super user key so he could create a way to set up automatic scheduled posts for himself. After reading this I am not very comfortable with it. Thoughts?

 

[Lukas W.]

They don't need a super user key for posting, a normal user key for their account will be sufficient.

 

[doublespaces]

Is there any way to verify an api key locally? Length? Hash?

 

[chaim2003]

is there way to get all users (not just 20 every request)?
that is to say: Is it possible to add filters on the request?

 

[chaim2003]

the request

that the response

what the solution for this?

 

[Robust]

Is there any way to verify an api key locally? Length? Hash?

No. API keys are generated randomly.

public function generateKeyValue()
{
    return \XF::generateRandomString(32);
}

You can verify the length is 32, as all API keys are 32 characters in length, but there is no further check you can do to try and verify an API key's validity.

is there way to get all users (not just 20 every request)?
that is to say: Is it possible to add filters on the request?

Somewhat. The users endpoint is paginated, but the perPage limits are the same as your global membersPerPage option. You can either set that to an absurdly high value, but that will affect other areas in your installation (hence not recommended), or you can overwrite the \XF\Api\Controller\Users::actionGet method yourself to make it use a value sent in the request for pagination, instead of using the core membersPerPage option.

This is something that should really be done in the core, tbh, so maybe make a suggestion.

 

[chaim2003]

No. API keys are generated randomly.

public function generateKeyValue()
{
    return \XF::generateRandomString(32);
}

You can verify the length is 32, as all API keys are 32 characters in length, but there is no further check you can do to try and verify an API key's validity.


Somewhat. The users endpoint is paginated, but the perPage limits are the same as your global membersPerPage option. You can either set that to an absurdly high value, but that will affect other areas in your installation (hence not recommended), or you can overwrite the \XF\Api\Controller\Users::actionGet method yourself to make it use a value sent in the request for pagination, instead of using the core membersPerPage option.

This is something that should really be done in the core, tbh, so maybe make a suggestion.

Looks complicated
i will check it
Thank you very much!

 

[arn]

The API is great. Are there any plans to add thread "move" functionality?

We would like “move” (change node) functionality too. We are currently changing the database field. But it doesn’t update other stuff.

arn

 

[kahovn]

Anyway, using api of xenforo 2 is not enough. Scope action that provived is not enough for app

 

[Miacommunity]

Where can I find media APIs?

 

[kahovn]

Where can I find media APIs?

You have must defined own your api layer

 

[Miacommunity]

What do you mean exactly?