API issue with required anti-forgery token

We have a custom application that uses the Octopus API to deploy releases. The API calls are all done from the browser using JS. We are not using an API Key, but use the “integrated-challenge” endpoint so that users can simply authenticate as themselves and only deploy to the environments that their account has access to.

We recently upgraded to version 2019.6.0 from 2018.10.2

We are now getting a CSRF error when trying to POST to the endpoint to deploy a release:
A required anti-forgery token was not supplied or was invalid. If you are using a browser, please refresh your browser page, then sign out and sign back in to Octopus Deploy again. If you are using the API directly please consider using an API Key for authentication. If you are using a tool provided by Octopus Deploy please upgrade to the latest version of that tool and try again.

Looking at the request in the dev tools, we are sending the cookie that contains the “Octopus-Csrf-Token”

Has something changed about this works? Looking through the Octopus documentation, I did find a reference to adding this header to the request: X-Octopus-Csrf-Token. Is that required now? I’m not sure how I would get access to this token to add to the header.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.