REST API calls fail due to Missing XSRF Token
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When making a call to the Bamboo REST API, for example:
curl -u <bamboouser>:<bamboopass> <bamboo-url>/rest/api/latest/<some-endpoint>
The call fails and the following appears in your output:
ERROR:-
java.lang.IllegalArgumentException: XSRF Token Validation failed (XSRF_FAILURE_NO_TOKEN_IN_COOKIE).
at com.atlassian.bamboo.ww2.interceptors.BambooXsrfTokenInterceptor.doIntercept(BambooXsrfTokenInterceptor.java:66)
at com.atlassian.bamboo.ww2.interceptors.AbstractBambooInterceptor.intercept(AbstractBambooInterceptor.java:34)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.atlassian.xwork.interceptors.AroundInterceptor.intercept(AroundInterceptor.java:25)
Cause
This specific error, XSRF_FAILURE_NO_TOKEN_IN_COOKIE
, is caused by the cookie sent to Bamboo missing the atl.xsrf.token.
Workaround
To work around this issue, please add the header X-Atlassian-Token: no-check
to your API call. For example:
curl -u <bamboouser>:<bamboopass> -H 'X-Atlassian-Token: no-check' <bamboo-url>/rest/api/latest/<some-endpoint>