The docs at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ and https://www.jenkins.io/doc/book/using/remote-access-api/ both strongly imply that you don't need to supply a crumb when calling the API from scripted clients, if you use an API token. They both illustrate curl/wget calls with API tokens and no crumb header, and the latter says "API tokens are preferred *instead of* crumbs for CSRF protection"
This seems to be true for GET requests - I can make a GET to $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid crumb was included in the request" (Problem for me is that this seems to break Spinnaker's ability to trigger Jenkins jobs unless I disable CSRF completely, which obviously I don't want to do.) Is it by design that even an ApiToken must be combined with a crumb to do POSTs? Can this be disabled? Is this anything to do with https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6? I'm on Jenkins 2.235.5 <https://jenkins.io/> Thanks -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7c49a7e2-b666-48da-965d-02ad03fee858n%40googlegroups.com.
