Pi-Hole API not working

The issue I am facing: Pi-Hole API not working

Details about my system: Debian, Apache2 with Pi-Hole

What I have changed since installing Pi-hole: Changed /var/www/html/admin to /var/www/html/pihole

I have problems with the API. I have set it up so that I can access the API via a subdomain.
So "sub.domain.tld/pihole/api.php..." shows me the json data. Now when I try to include it with this code, I get this error: "Uncaught (in promise) SyntaxError: Unexpected token 'F', "Failed COR".... is not valid JSON"

<label id="domains_being_blocked"></label>
function getElement(id) {
  return document.getElementById(id);

.then(res => res.json()
.then(json => {
  getElement('domains_being_blocked').innerText = json.domains_being_blocked;

I use 1:1 the same code on the same page but with a different API from a different service and it works fine. So it must be Pi-Hole. Where is the error?

Since you do not include the error, it a bit of a guess what the issue is. But on the surface, unless you have setup https for your Pi-hole site, it won’t work. Pi-hole is http by default.

If I had to guess at the error you are getting a CORS error.

What error message do you need?

The URL only shows what the http page outputs.
It is only a cover, so to speak.

How could I fix this?

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Is that necessary? I mean I can retrieve the data. I think the problem is this cors or something. A debug log of my instance doesn't help that much or am I wrong?

Well, it might help the developers rule out issues. So, if they suggest that, why not give it a shot.

Backing up to your question to me:

The URL of your page or the URL used by your Pi-hole API call. Your code block calling the Pi-hole API is using https, based in the code snippet you shared. I cannot imagine that is the real URL you are using, but it suggests https and not http:

The URL shows my current directory (/var/www/html). By attaching /pihole/api.php to the url I get /var/www/html/pihole/api.php.

So in the end I call the api.php with the appropriate args, summaryRaw & auth, over https, yes.

But how should that affect the functionality of the API? Because in the browser everything is displayed normally via https.

But, originally I had it as http URL, only there the HTML page where I want to embed the API complained that it can't load an http page in an https page. And the HTML must be loaded in HTTPS unfortunately.

You probably need to include your domain here

P.S. Any modification made here is likely be reverted during the next update.

It does not work. The only difference I find is that I see the following on the HTML page in the browser at the API URL: [Browser Dev Tools -> Elements -> api.php/... -> Preview]

> Failed CORS: #URL HTML SITE# vs #IP PIHOLE#, #EXTRA API URL#, pi.hole, localhost

If I now add my URL to ../scripts/pihole/php/auth.php I get this:

Failed CORS: #URL HTML SITE# vs #IP PIHOLE#, #EXTRA API URL#, pi.hole, localhost, #EXTRA API URL#

So in the end the same URL only twice. So that doesn't seem to be the problem.

In addition, I have now set that I can also call the extra URL for the API via http. Because that could have been a problem. But now, as already mentioned, I also have this error on the HTML page:

Mixed Content: The page at 'https://#URL HTML SITE#/' was loaded over HTTPS, but requested an insecure resource 'http://#EXTRA API URL#/pihole/api.php?summaryRaw&auth=#MY AUTH TOKEN#'. This request has been blocked; the content must be served over HTTPS.

If I then add the following line to the HTML file, this error goes away, but the Cors error remains.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> 


I use the API. Unfortunately I get a Cors error if the URL requesting the data is not manually inserted here.

How can I make it accept ALL urls? Is this a security risk?
Something like "." or "*" does not work.

That's done with for me. I have found another way, but it is probably not suitable for others. If someone knows a solution to the problem, they can post it here for other users who find this post and are looking for a solution to their problem.

Then you're not using the API correctly. What endpoints are you calling and how are you calling them?


I have the way with the config from here:

So this seems to be a duplicate of another topic you've already opened and are using. I'll merge this topic into that one. Please don't open new duplicate topics.

What should I do if no one answers me anymore, but I need help? :thinking:

Wait patiently.

Opening new topics for the same thing will only lead to a bunch of unanswered topics that have no relation or link to each other. That wastes everyone's time and efforts to help you. It will also lead to your early forced retirement from this community.

1 Like

I didn't want to inconvenience anyone...

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.