Getting the X-Bonita-API-Token


To Whom it may concern,

I am using Bonitasoft Subscription Version 7.3+.

I am trying to access Bonitasoft information from another application, on a different domain.

I am successfully using the 'loginservice' API. I am getting a status of 200. However I cannot get the X-Bonita-API-Token directly from that response.

I can see that the token is being set correctly in my browser as a cookie under the Bonitasoft server domain. However I am unable to access the cookies on that domain for the obvious reasons.

I need this token to make subsequent PUT, POST, and DELETE REST API calls. It is required in the header.

How can I get this token locally and put it in the headers of subsequent calls? I appreciate that it is being automatically put into all subsequent calls as a cookie by my browser, but it is not being put into the header.

Thank you,


Submitted by agaughan on Fri, 07/14/2017 - 22:29

Also the server that is being used is WildFly, not Tomcat.

1 answer


Someone on my team was able to solve this problem.

After the login service use 'API/system/session/unusedId' and that service will return the token.


Submitted by Lionel Palacin on Mon, 07/17/2017 - 23:02

Thanks for the answer!

Submitted by vitiellom on Wed, 02/13/2019 - 12:19

Having the same problem. After login with curl request the X-Bonita-API-Token get saved as expected, if I try to perform the same request with php no sign of that cookie. If I try to use API/system/session/unusedId as suggest I get a 404 not found error? The code of the second request looks like this:

$curl = curl_init();
# curl -v -b saved_cookies.txt --url 'http://localhost:63717/bonita/API/system/session/unusedId' --header "Content-Type: application/x-www-form-urlencoded; charset=utf-8"
$options = array(CURLOPT_RETURNTRANSFER => 1,
CURLOPT_COOKIE => $cookies,
CURLOPT_URL => 'http://localhost:63717/API/system/session/unusedid',
CURLOPT_HTTPHEADER => array('Content-type: application/x-www-form-urlencoded', 'charset: utf-8')
curl_setopt_array($curl, $options);
$returnData = curl_exec($curl);

Where $cookies = 'JSESSIONID=8A78E3A42644DD974546C9CF080F6B01' for example. What am I missing?


Submitted by antoine.mottier on Thu, 02/14/2019 - 11:19

Make sure that your REST API call includes in the header the X-Bonita-API-Token with the value get from the loginservice call.

Also you can see a call to /bonita/API/system/session/unusedId when you load the Portal from the Studio (using your web browser developper tool in the network tab). So you can compare your call with the one performed by Bonita Portal.

Finally you can take a look at this video that explain how to do Bonita REST API call:

Submitted by vitiellom on Thu, 02/21/2019 - 12:27

Thanks for the answer and the video link, I will have a look at it.

My problem is that I can't include the X-Bonita-API-Token in the header because it does not get saved in the after successfully login through API. Only the session id is saved but not trace of the Bonita token.

Edit: using Postman and following the instructions of the video, I successfully authenticate but, again, no signs of the X-Bonita-API-Token (only the JSESSIONID get saved)...

Submitted by antoine.mottier on Thu, 02/28/2019 - 11:06

Sorry I forgot X-Bonita-API-Token is related to CSRF protection and this feature was only enable dy default in version 7.4.0. In 7.3 you need to enable it manually. See:

In 7.3 usage of X-Bonita-API-Token and if I remember correctly JSESSIONID was required.

Also note that 7.3 is out of support since July 2018. So I recommend if possible to update to the latest version of Bonita.

Submitted by on Mon, 03/04/2019 - 18:46

I can see that the X-Bonita-API-Token has been set on the browser after I do a post to 'loginservice' but I cannot access the cookie in which the token is stored via javascript because (presumably) I am trying to do so from a server other than that which set the cookie. When I tried calling 'API/system/session/unusedId' after loginservice I get a 401 error. Can somebody please provide some help as to how to get the X-Bonita-API-Token via a JS framework that is calling the bonita server remotely? Thanks much

Submitted by antoine.mottier on Thu, 03/21/2019 - 19:39

Finally I get the chance to create a fully functional example.

In order to successfully run this example with your Bonita installation you first need to configure CORs on your server:

An here is an example of a page that was served by Apache installed locally on my computer and accessing a remote Bonita server installed on AWS:

We actually get the X-Bonita-API-Token from the HTTP header with the same name that we can find in the answer to a call to /API/system/session API.

Submitted by sujitht on Wed, 07/22/2020 - 14:07

yes I too have the same problem in trying to access http://localhost:8080/bonita/API/system/session/unusedid and getting 401 error. I'm trying to do with java so that I can retrieve X-Bonita-API-Token for further API calls. Any sugessions here?