Orchestrator API - 400 Response (Empty or invalid anti forgery header token) when POSTing

Orchestrator deployed to an Azure web app running version 2018.1.1.

When I make any POST request to the API it returns a 400 - Empty or invalid anti forgery header token response. Initially I thought this may be because of some bad syntax in the request body but I’m getting the same issue with something as simple as updating the package version of a release
I POST this:
“packageVersion”: “{{packageVersion”

to https://{{host}}/odata/Releases({{releaseId}})/UiPath.Server.Configuration.OData.UpdateToSpecificPackageVersion

and receive the 400 response.

Making a GET reqauest such as authenticating of getting releases works fine and as expected. The user authenticating through the API also only belongs to one Organization Unit (OU) but there are multiple OU’s in Orchestrator.

Any thoughts?

1 Like

I’m still experiencing this issue. Has anyone run into anything similar?

Anyone else had this issue and know how to resolve?

Hello. Does the user you use for authentication have the write to update packages?

Yes, I get the same response even with the admin user that has view, create, edit and delete rights on everything.

Me too facing the same issue. Any updates?

Hello! If you’re using a tool like Postman, you’ll have to delete the anti forgery cookie that was kept from a different session. So, for your POST call, go to cookies and you’ll find one called XSRF-TOKEN
Just delete this one and try again.


Thank you, @Andrei. It’s working now.After deleting this cookie am able to trigger POST request successfully. Could you please explain me what is the logic behind this ?

At every POST request a new XSRF-token is created. The Orchestrator server expects that the XSRF-token in the response to be the same. Somehow Postman keeps and sends an old token and that’s why you receive 400 - Empty or invalid anti forgery header token response.
Personally I didn’t encounter this issue with other tools besides Postman.

1 Like