Defect #33029

API POST requests fail with 422 Can't verify CSRF token authenticity. on 3.4.13, 4.0.6 and 4.1.0

Added by casper nielsen over 2 years ago. Updated 2 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:


Category:REST API
Target version:-
Resolution:Invalid Affected version:4.1.0


I have been tasked with making our main application work with a newer version of redmine than it did before.
The old one was ancient. Our current one is 3.4.13 in a docker container.

I have tried the latest three versions localhost. The behave the same in this regard:
When I make POST requests using HTTParty or even curl, I get a 422 response code with the message "Can't verify CSRF token authenticity"
This is my request:
timeout: @options[:timeout],
headers: {'Content-Type' => 'application/json'},
body: somehash.to_json

In the redmine source code ApplicationController it calls protect_from_forgery. I don't see any exceptions on this like I would expect with api-requests.
I thought CSRF protection was only meant for posted forms and the like. I may be wrong on that. How would I know what to send as a CSRF-token when making api-requests without prior requests?
I read the API reference. I didn't see anything on the matter.

What am I missing?

Another thing:
I have tried putting the key in the body with the json key "key" and as a header with the key name 'X-Redmine-API-Key' like specified. None of those are accepted it seems.
I can only make it accept the key if passed as a query parameter for some reason.

Screenshot 2022-02-08 231555.png (50.6 KB) Arkady Marchenko, 2022-02-08 17:18

Screenshot 2022-02-08 231705.png (21.1 KB) Arkady Marchenko, 2022-02-08 17:18


#1 Updated by Holger Just over 2 years ago

  • Status changed from New to Needs feedback

It's likely that you have forgotten to activated the support for REST API in your local Redmine installation. Make sure to activate the API in Administration -> Settings -> API.

Does this solve your issue?

#2 Updated by casper nielsen over 2 years ago

Enable REST web service is ticked.

I have resorted to disallowing protect_from_forgery by mounting and overwriting the additional_environment.rb containing that setting. This is acceptable but not optimal.
It's an internal system behind a firewall, so I'm not worried about that.

I do not verify the ssl certificate either. This is just until we get a proper certificate on that server. But I doubt that should cause this.

Am I supposed to provide a CSRF-token with an api post request?

#3 Updated by Arkady Marchenko 3 months ago

Today faced same issue, trying create news with Postman
Content-Type: application/json

    "news": {
        "title": "NewsJsonApiTest",
        "summary": "News JSON-API Test",
        "description": "This is the description" 

Keep returning 422 Unprocessable entity (Screenshot 2022-02-08 231555)
And in the server log I found that error (Screenshot 2022-02-08 231705)

#4 Updated by Pavel Rosick√Ĺ 3 months ago

you have an error in the URL, it should be
instead of

also, note that news have Rest-API since Redmine 4.1, it won't work on previous versions

#5 Updated by Go MAEDA 2 months ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Invalid

Also available in: Atom PDF