How to properly Whitelist a Function to be Accessible via REST API in Frappe

sideroomghost · July 16, 2025, 3:31am

Hi I’m following the steps in the documentation outlined here:
https://docs.frappe.io/framework/user/en/api/rest

Using POSTMAN, I’m trying to call the function get_logged_user(). I’ve checked if it’s already been whitelisted and it seems to be the case but I’m still getting permission error and that the function is not whitelisted when using GET request.

"exception": "frappe.exceptions.PermissionError: <details><summary>You are not permitted to access this resource. Login to access</summary>Function <strong>frappe.auth.get_logged_user</strong> is not whitelisted.",

frappe/auth.py

@frappe.whitelist()
def get_logged_user():
	return frappe.session.user

GET Request :

http://<base-url>/api/method/frappe.auth.get_logged_user

headers: {
        'Authorization': 'token api_key:api_secret'
    }

Can someone help me how I can call the function “get_logged_user()”? Just for figuring out how to call any erpnext functions. Thanks.

atgranted · July 16, 2025, 4:32am

What does your Postman setup look like? I can confirm this works fine:

sideroomghost · July 16, 2025, 5:58am

Similar to yours.

sideroomghost · July 16, 2025, 6:14am

Can you tell me what your message said?

I managed to fix it by allowing guest access to the function.

@frappe.whitelist(allow_guest=True)

Output:

{
“message”: “Guest”
}

khushal_t · July 16, 2025, 7:09am

whitelist=True

It will be kind of public API so you want it that way ?

Vipul_Kumar · July 16, 2025, 11:29am

@sideroomghost

curl --location 'http://development.localhost:8000/api/method/frappe.auth.get_logged_user' \
--header 'Authorization: token 24e98a3077bdd0e:b55fa1fdb01cecb' \
--header 'Cookie: full_name=Guest; sid=Guest; system_user=no; user_id=Guest; user_image='

Just change your user key and secret no need to change frappe code