Defect #33029

API POST requests fail with 422 Can't verify CSRF token authenticity. on 3.4.13, 4.0.6 and 4.1.0

Added by casper nielsen almost 2 years ago. Updated over 1 year ago.

Status:Needs feedbackStart date:
Priority:NormalDue date:
Assignee:-% Done:


Category:REST API
Target version:-
Resolution: Affected version:4.1.0


I have been tasked with making our main application work with a newer version of redmine than it did before.
The old one was ancient. Our current one is 3.4.13 in a docker container.

I have tried the latest three versions localhost. The behave the same in this regard:
When I make POST requests using HTTParty or even curl, I get a 422 response code with the message "Can't verify CSRF token authenticity"
This is my request:
timeout: @options[:timeout],
headers: {'Content-Type' => 'application/json'},
body: somehash.to_json

In the redmine source code ApplicationController it calls protect_from_forgery. I don't see any exceptions on this like I would expect with api-requests.
I thought CSRF protection was only meant for posted forms and the like. I may be wrong on that. How would I know what to send as a CSRF-token when making api-requests without prior requests?
I read the API reference. I didn't see anything on the matter.

What am I missing?

Another thing:
I have tried putting the key in the body with the json key "key" and as a header with the key name 'X-Redmine-API-Key' like specified. None of those are accepted it seems.
I can only make it accept the key if passed as a query parameter for some reason.


#1 Updated by Holger Just almost 2 years ago

  • Status changed from New to Needs feedback

It's likely that you have forgotten to activated the support for REST API in your local Redmine installation. Make sure to activate the API in Administration -> Settings -> API.

Does this solve your issue?

#2 Updated by casper nielsen almost 2 years ago

Enable REST web service is ticked.

I have resorted to disallowing protect_from_forgery by mounting and overwriting the additional_environment.rb containing that setting. This is acceptable but not optimal.
It's an internal system behind a firewall, so I'm not worried about that.

I do not verify the ssl certificate either. This is just until we get a proper certificate on that server. But I doubt that should cause this.

Am I supposed to provide a CSRF-token with an api post request?

Also available in: Atom PDF