Unable to access API using authtoken (forbidden)

[gabrieljablonski]

Although the websocket connections work just fine, I'm unable to use an authtoken to make API calls (such as to /api/messages/unread), as it just returns a forbidden error.

Using a session id works, so I'm not sure if I'm doing something wrong or if it's just not supposed to be possible to access the API using just an authtoken. If not, is it possible to acquire a session id using an authtoken?

Using a valid authtoken:

Using a valid session id:

[mix-ologist]

Currently, as it is written the code depends on the user having a session.

https://github.com/destinygg/website/blob/master/lib/Destiny/Controllers/PrivateMessageController.php#L201

A new session instance is created upon hitting the app, so provisioning one of those is likely a matter of hitting the right page:

https://github.com/destinygg/website/blob/master/public/index.php#L39

Each of these endpoints have different requirements so I'd recommend reading the PHP for your usecase. I would be happy to chat if you want to try to figure out your usecase.