last person joined: yesterday 

Expand all | Collapse all

CSRF token missing or incorrect

Jump to Best Answer
  • 1.  CSRF token missing or incorrect

    Posted Aug 28, 2019 10:31 AM

    I am using python 3 to login via the Aruba Central API and then try to retrieve an authorization token. 


    I am getting the error CSRF token missing or incorrect.


    The requests library is using a session manager which automatically passes the csrftoken and session cookies to the next request being made, but they are not being accepted even though they are being directly generated from the previous request.


    Things i double checked:

    • both requests are using the same client_id
    • the hostname for the api endpoint works correctly for the first api request, so it should work for the second

    The best documentation I could find on making these requests was a PDF found from a google search.




    import requests, json, pprint
    session = requests.Session()
    url = ""
    querystring = {"client_id":"REMOVED"}
    payload = {"username":"REMOVED", "password" : "REMOVED"}
    response =, json=payload, params=querystring)
    print('response cookies', response.cookies)
    url = ""
    querystring = {"client_id":"REMOVED","response_type":"code","scope":"read"}
    response =, params=querystring)
    print('request headers sent', response.request.headers)

    How can I get this to work?


  • 2.  RE: CSRF token missing or incorrect
    Best Answer

    Posted Aug 28, 2019 10:41 AM



    You need to add X-CSRF cookie, you can look (attach txt file) or the powershell example


    the CSRF is return when make the first connection and you need to send on each request



  • 3.  RE: CSRF token missing or incorrect

    Posted Aug 28, 2019 11:02 AM

    Hi it worked. Can you please put a link to the official documentation that mentions this? I couldn't find it anywhere. Thanks

  • 4.  RE: CSRF token missing or incorrect

    Posted Aug 28, 2019 11:11 AM

    on your pdf...


    Pass the CSRF-TOKEN value you obtained in step one in the request header, otherwise the request will be rejected.


  • 5.  RE: CSRF token missing or incorrect

    Posted Aug 28, 2019 12:43 PM

    For those who also couldn't get this to work, the response from the api returns a Set-Cookie header with csrftoken=<TOKEN_DATA>; session=<SESSION_DATA> but an ADDITIONAL HEADER containing the exact same CSRF token is required to make a request.


    These are the headers sent to make a successful api request via the python requests library:


    {'User-Agent': 'python-requests/2.18.3', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'X-CSRF-TOKEN': '##3207d77024a06e0
    c82282ddfc315ae5127a2ba7f', 'Cookie': 'csrftoken=##3507d77024a05e0c82282ddec315ae5127a2ba7f; session=edc2d6d4539809a0_5e66ade6.XObDI4NNmg58LxRAtgl6WtMjLUw', 'Content-Length': '0