XSRF check failed when calling Cloud APIs
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
requests are failing with the error, XSRF check failed,
Atlassian Cloud REST API are protected from Cross Site Request Forgery (XSRF/CSRF) attacks for security reasons. For this reason, requests made from other systems may be rejected with a 403 status code when they originate from outside of the Atlassian Cloud, as shown below.
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" HTTP/1.1 403 Forbidden Date: Fri, 06 May 2016 06:11:15 GMT ... XSRF check failed. More information at https://confluence.atlassian.com/x/DhpJMQ
In this example, we have attempted to perform an operation as
admin, which has failed due to XSRF protection.
To call protected APIs from external systems you can add the
X-Atlassian-Token header to each request, setting the value to
no-check. Adding this header to a request bypasses the server-side XSRF check and allows the request to be fulfilled.
$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" -H "X-Atlassian-Token: no-check" HTTP/1.1 200 OK Date: Fri, 06 May 2016 06:13:31 GMT ...
How to call protected REST APIs from third party websites
It is not possible to call protected APIs from third party websites as this would pose a security risk.