Getting the X-Bonita-API-Token
To Whom it may concern,
I am using Bonitasoft Subscription Version 7.3+.
I am trying to access Bonitasoft information from another application, on a different domain.
I am successfully using the 'loginservice' API. I am getting a status of 200. However I cannot get the X-Bonita-API-Token directly from that response.
I can see that the token is being set correctly in my browser as a cookie under the Bonitasoft server domain. However I am unable to access the cookies on that domain for the obvious reasons.
I need this token to make subsequent PUT, POST, and DELETE REST API calls. It is required in the header.
How can I get this token locally and put it in the headers of subsequent calls? I appreciate that it is being automatically put into all subsequent calls as a cookie by my browser, but it is not being put into the header.
Someone on my team was able to solve this problem.
After the login service use 'API/system/session/unusedId' and that service will return the token.
Thanks for the answer!
Having the same problem. After login with curl request the X-Bonita-API-Token get saved as expected, if I try to perform the same request with php no sign of that cookie. If I try to use API/system/session/unusedId as suggest I get a 404 not found error? The code of the second request looks like this:
$curl = curl_init();
# curl -v -b saved_cookies.txt --url 'http://localhost:63717/bonita/API/system/session/unusedId' --header "Content-Type: application/x-www-form-urlencoded; charset=utf-8"
$options = array(CURLOPT_RETURNTRANSFER => 1,
CURLOPT_VERBOSE => TRUE,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HEADER => 1,
CURLOPT_COOKIE => $cookies,
CURLOPT_URL => 'http://localhost:63717/API/system/session/unusedid',
CURLOPT_HTTPHEADER => array('Content-type: application/x-www-form-urlencoded', 'charset: utf-8')
$returnData = curl_exec($curl);
Where $cookies = 'JSESSIONID=8A78E3A42644DD974546C9CF080F6B01' for example. What am I missing?
Make sure that your REST API call includes in the header the X-Bonita-API-Token with the value get from the loginservice call.
Also you can see a call to /bonita/API/system/session/unusedId when you load the Portal from the Studio (using your web browser developper tool in the network tab). So you can compare your call with the one performed by Bonita Portal.
Finally you can take a look at this video that explain how to do Bonita REST API call: https://www.youtube.com/watch?v=PVp5lu8EGp4&t=24s
Thanks for the answer and the video link, I will have a look at it.
My problem is that I can't include the X-Bonita-API-Token in the header because it does not get saved in the after successfully login through API. Only the session id is saved but not trace of the Bonita token.
Edit: using Postman and following the instructions of the video, I successfully authenticate but, again, no signs of the X-Bonita-API-Token (only the JSESSIONID get saved)...
Sorry I forgot X-Bonita-API-Token is related to CSRF protection and this feature was only enable dy default in version 7.4.0. In 7.3 you need to enable it manually. See: https://documentation.bonitasoft.com/bonita/7.3/csrf-security
In 7.3 usage of X-Bonita-API-Token and if I remember correctly JSESSIONID was required.
Also note that 7.3 is out of support since July 2018. So I recommend if possible to update to the latest version of Bonita.
Finally I get the chance to create a fully functional example.
In order to successfully run this example with your Bonita installation you first need to configure CORs on your server: https://documentation.bonitasoft.com/bonita/7.8/enable-cors-in-tomcat-bu...
An here is an example of a page that was served by Apache installed locally on my computer and accessing a remote Bonita server installed on AWS: https://gist.github.com/amottier/aa0758d9a7e5a8a99d1afbbd655a7e0f
We actually get the
X-Bonita-API-Token from the HTTP header with the same name that we can find in the answer to a call to