Rest API Post and Put methods get unauthorized errorcode 401


when i send request get with
username and password
to login service
i get 200 ok

when i send request get
to ip:port /bonita/API/bpm/process?p=0&c=100
i get response and get all processes

when i send any post request
like ip:port /bonita/API/bpm/case/
and in body
{"processDefinitionId": "6397493661701515732","variables":[{ "name":"pp","value":"87874"

i get unauthorized eror 401

and this error appear for any post/put request
My Bonita version 7.4.2 with wildfly server

4 answers

This one is the BEST answer!


Since version 7.4, CSRF security is activated by default.
( )

So if you want to perform any POST, PUT or DELETE method, you need to add the "X-Bonita-API-Token" header.

You can get it on the login call response (with the JSessionId cookie you also need to copy).

Example :
Login response :
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: bonita.tenant=1
Set-Cookie: JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74; Path=/bonita/; HttpOnly
Set-Cookie: X-Bonita-API-Token=cfdd4369-a618-4222-a40f-02b6980e9b59; Path=/
Content-Length: 0
Date: Mon, 27 Feb 2017 09:46:59 GMT

The cookie value you need to copy looks like "JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74" (including "JSESSIONID=" )
and the X-Bonita-API-Token value is "cfdd4369-a618-4222-a40f-02b6980e9b59"


Submitted by samehisthebest on Mon, 02/27/2017 - 15:54

you mean i send in cookie in request


and this array of string will be

ar[0]="JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74; Path=/bonita/"


Submitted by rositamg1993 on Tue, 04/18/2017 - 18:40

Hello, I have the same problem, I'm using angular2 to call loginservice, i got the status 200 ok but the site don't return cookies, how can i do?

Thank you.


Google Flights can predict delays and will tell you before the airlines ...
Jan 31, 2018 - Google Flights, the company's air travel search and booking platform, can now predict flight delays and will pass the information onto passengers before the airlines. The company says it is using data from the airlines as well as machine learning technologies to anticipate the length of delays. Google says it ...



I have the good parameter X-Bonita-API-Token in the cookie
I've tried to disable the CSRF protection changing properties and pulling files but nothing change
I always have 401 error...

how to activate a trace to see where is the problem?

  • how are you calling the REST methods ?
    If it is from an external client, you need to call the login method, parse the response, get the cookies, and then, for the POST/PUT methods, you need to add theses cookies to the method headers

If it from a form page, the user is allready logged on the Bonita server so you don't have to worry, just call the POST or PUT method

  • And no, the cookies are not added as method parameter, they need to be added as headers


Submitted by david_122 on Fri, 07/21/2017 - 19:34

Why would I be getting this error using the bonita portal?

Request Headers
DELETE /bonita/API/portal/profileMember/24 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.72 Mobile Safari/537.36
Content-Type: text/plain; charset=utf-8
Accept: /
Referer: http://localhost:8080/bonita/portal/homepage

Request URL:http://localhost:8080/bonita/API/portal/profileMember/24
Request Method:DELETE
Status Code:401 Unauthorized
Remote Address:[::1]:8080
Referrer Policy:no-referrer-when-downgrade

Submitted by antoine.mottier on Mon, 07/24/2017 - 11:16

How did you get this error? Are you logged in in the Portal with an administrator account and trying to remove a user from a profile? Or did you build the REST request in your own application?

Submitted by david_122 on Mon, 07/24/2017 - 15:12

Yes. I was logged in using administrator account, walter.bates on the Portal and trying to edit, or remove a user I get this error while on Chrome browser. However, on Firefox it does not error.

Submitted by antoine.mottier on Mon, 07/24/2017 - 18:45

I did a test with Chrome and cannot reproduce the issue. Can you open a ticket on the issue tracker and put as much details as you can to reproduce the issue?

Following information would be useful:

  • step by step instruction to reproduce the issue
  • did you use the Tomcat server embedded in Bonita Studio
  • or did you install a bundle
  • type of database used
  • from your requests log files it seems that you are using a mobile web browser. Is that correct?