Authenticating APIv2 Calls as another User (Spoofing) - Vanilla Success
<main> <article class="userContent"> <p>When doing server-to-server API integrations, you may want to make API calls on behalf of another user. In <strong>Higher Logic Vanilla (Vanilla)</strong>, you can achieve this by <strong>spoofing </strong>another user. In this article, you'll learn how.</p><h2 data-id="what-api-calls-can-you-spoof">What API calls can you spoof?</h2><p>You can spoof any APIv2 call you want, as long as the user you're spoofing has access to the endpoint.</p><h2 data-id="pitfalls-of-spoofing">Pitfalls of spoofing</h2><p>Before you decide to use the spoofing functionality, make sure you understand the pitfalls.</p><ul><li>Spoofing is a very powerful tool, but can be dangerous too because you're allowing access to other user accounts. Make sure you really need to spoof.</li><li>Only ever spoof with an access token on the server. Never pass spoof headers in the client with JavaScript, in a mobile app, etc.</li><li>Don't use spoofing as a workaround for SSO. Think of spoofing as a tool for administrators or server integrations such as automated posts on behalf of users.</li><li>When you spoof as another user, the call will be <em>as</em> that user. This is especially important when it comes to that user's permissions. In other words, you can only make API calls that the spoofed user can make, based on their permissions.</li></ul><h2 data-id="enable-api-spoofing">Enable API spoofing</h2><p>API spoofing requires the <strong>Spoof</strong> addon to be enabled. You can enable it in the Dashboard, on the <strong>Settings > Addons > Addons</strong> page. </p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/LUSBMQ4IPAED/enable-spoof.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/LUSBMQ4IPAED/enable-spoof.png" alt="enable_spoof.png" height="520" width="1250" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>In order to spoof, you must make API calls with an access token that has admin access (<code class="code codeInline" spellcheck="false" tabindex="0">Garden > Settings > Manage</code>). Make sure you have an access token associated with a user that has the proper permissions.</p><h2 data-id="make-spoof-calls">Make spoof calls</h2><p>In order to spoof when making an API call, you pass the user ID of the user you want to spoof in the <code class="code codeInline" spellcheck="false" tabindex="0">X-Vanilla-Spoof</code> header. </p><h4 data-id="example">Example</h4><pre class="code codeBlock" spellcheck="false" tabindex="0">Auhorization: Bearer <Access Token> X-Vanilla-Spoof: 123 </pre><p>These headers will make the API call as user "123" rather than the user who owns the access token.</p><h2 data-id="spoofing-with-smart-ids">Spoofing With Smart IDs</h2><p>The example above shows an integer user ID. While this works, it can sometimes be difficult to develop with because you have to look up users before spoofing as them. To get around this, you can use Vanilla's <a href="https://success.vanillaforums.com/kb/articles/46-smart-ids" rel="nofollow noreferrer ugc">Smart IDs</a> to spoof users by name, email address, or SSO ID. </p><h4 data-id="examples">Examples</h4><pre class="code codeBlock" spellcheck="false" tabindex="0">// Spoof as username "frank" X-Vanilla-Spoof: $name:frank // Spoof with SAML SSOID X-Vanilla-Spoof: $saml:f27d3aa9-23be-4bdf-9167-3a1f0c45cace </pre><p>You can look up a user when spoofing with any valid smart ID. For more information on smart IDs, check out the <a href="https://success.vanillaforums.com/kb/articles/46-smart-ids" rel="nofollow noreferrer ugc">Smart ID documentation</a>.</p> </article> </main>