XSRF check failed when calling Cloud APIs

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.


requests are failing with the error, XSRF check failed,


Atlassian Cloud REST API are protected from Cross Site Request Forgery (XSRF/CSRF) attacks for security reasons. For this reason, requests made from other systems may be rejected with a 403 status code when they originate from outside of the Atlassian Cloud, as shown below.

$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser"

HTTP/1.1 403 Forbidden
Date: Fri, 06 May 2016 06:11:15 GMT

XSRF check failed. More information at https://confluence.atlassian.com/x/DhpJMQ

In this example, we have attempted to perform an operation as admin, which has failed due to XSRF protection.


To call protected APIs from external systems you can add the X-Atlassian-Token header to each request, setting the value to no-check. Adding this header to a request bypasses the server-side XSRF check and allows the request to be fulfilled.

$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" -H "X-Atlassian-Token: no-check"

HTTP/1.1 200 OK
Date: Fri, 06 May 2016 06:13:31 GMT


Note that this is only available for requests made by command line tools or external systems, not browser requests. This is because the Cross Origin Resource Sharing specification does not allow JavaScript loaded in third party websites to set arbitrary request headers.

How to call protected REST APIs from third party websites

It is not possible to call protected APIs from third party websites as this would pose a security risk.

Descriptionrequests are failing with the error, XSRF check failed,
ProductJira, Confluence
Last modified on Oct 12, 2018

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.