Problem

requests are failing with the error, XSRF check failed,

Diagnosis

Atlassian Cloud REST API are protected from Cross Site Request Forgery (XSRF/CSRF) attacks for security reasons. For this reason, requests made from other systems may be rejected with a 403 status code when they originate from outside of the Atlassian Cloud, as shown below.

$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser"

HTTP/1.1 403 Forbidden
Date: Fri, 06 May 2016 06:11:15 GMT
...

XSRF check failed. More information at https://confluence.atlassian.com/x/DhpJMQ

In this example, we have attempted to perform an operation as admin, which has failed due to XSRF protection.

Resolution

To call protected APIs from external systems you can add the X-Atlassian-Token header to each request, setting the value to no-check. Adding this header to a request bypasses the server-side XSRF check and allows the request to be fulfilled.

$ curl -u admin:admin -X POST -i "https://xxxx.atlassian.net/example/api/action?username=testUser" -H "X-Atlassian-Token: no-check"

HTTP/1.1 200 OK
Date: Fri, 06 May 2016 06:13:31 GMT

...

Note that this is only available for requests made by command line tools or external systems, not browser requests. This is because the Cross Origin Resource Sharing specification does not allow JavaScript loaded in third party websites to set arbitrary request headers.

How to call protected REST APIs from third party websites

It is not possible to call protected APIs from third party websites as this would pose a security risk.