API and Webhooks

Authenticate API v2 Calls as Another User (Spoofing)

When doing server-to-server API integrations, you may want to make API calls on behalf of another user. In Higher Logic Vanilla (Vanilla), you can do this by spoofing as another user, as described in this article.

📝 NOTE: The spoofing feature is enabled by default in all Vanilla accounts.

API calls and spoofing

You can spoof any API v2 call, as long as the user you're spoofing as has access to the endpoint.

In order to spoof, you must make API calls with an access token that has admin access (Garden > Settings > Manage). Make sure you have an access token that is associated with a user who has the proper permissions.

Pitfalls of spoofing

Before you use the spoofing functionality, make sure you understand the pitfalls.

Spoofing is a powerful tool, but it requires caution because you're allowing access to other user accounts. Make sure you really need to spoof.
Only ever spoof with an access token on the server. Never pass spoof headers in the client with JavaScript, in a mobile app, etc.
Do not use spoofing as a workaround for SSO. Think of spoofing as a tool for administrators or server integrations such as automated posts on behalf of users.
When you spoof as a user, the API call will be as that user and will be limited by that user's permissions. You can only make API calls that the spoofed user can make, based on their permissions.

Make spoof calls

In order to spoof a user when making an API call, pass the user ID of that user in the X-Vanilla-Spoof header, as shown.

Authorization: Bearer <Access Token>

X-Vanilla-Spoof: <userID>

This header will make the API call as user "123" rather than as the user who owns the access token.

This example uses an integer-based user ID. While this works, it can sometimes be difficult to develop with because you have to look up users before spoofing as them. To get around this, you can use Vanilla's Smart IDs to spoof users by name, email address, or SSO ID.

Spoofing with Smart IDs

Instead of using an integer-based user ID (as shown in the section above), you can use Vanilla's Smart IDs to spoof users by:

name,
email address, or
SSO ID.

Examples

// Spoof as username "frank"

X-Vanilla-Spoof: $name:frank


// Spoof with SAML SSOID

X-Vanilla-Spoof: $saml:f27d3aa9-23be-4bdf-9167-3a1f0c45cace

You can look up a user when spoofing with any valid smart ID.

For more information on smart IDs, check out the Smart ID documentation.

Read this next!

Mute Posts
As a member of an online community, you'll likely Follow and engage with numerous posts from other users, not to mention create your own posts that others engage with. Over time, you may come across threads that produce a high volume of engagement that you're not interested in, and this engagement can result in a similar…
Vanilla Co-Deploy
Co-Deploy: Empowering Customization for Your Community Forum At Higher Logic Vanilla (HLV), we understand that each organization has unique needs when it comes to community engagement. While many platforms offer basic theming and branding tools, Co-Deploy goes a step further, allowing Enterprise+ customers to fully…
Higher Logic – AI Terms of Use
Additional Terms for Use of AI Features By activating and/or using AI Features within the Software Services, the following terms (“AI Terms”) are hereby added to and become part of the Agreement between Higher Logic, LLC and your organization. Capitalized terms not defined in these AI Terms have the meanings given in the…
Create a Custom Layout Title Bar
In Higher Logic Vanilla (Vanilla), there are two types of Title Bars: Each Style Guide theme includes a Title Bar. Because a theme is applied community-wide, this functions as a default Title Bar that displays on every page. Communities that leverage Vanilla's custom page layouts can optionally create a custom Title…