HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

API v2 Post with CSRF Token?


I'm using Vanilla V2021.012 / API v2

I'm still quite inexperienced in dealing with APIs. I can get anything I want from the API using GET. But when I use POST I get the message 'invalid CSRF Token'.

<meta name="csrf-token" content="" />string(210) "{

  "message": "Invalid CSRF token. Please try again.",

  "status": 403,

  "msg": "Invalid CSRF token. Please try again.",

  "code": 403,

  "except": [],

  "type": "!csrf",

  "description": null


I understand that the CSRF token is generated on the server on the first call and stored in the session, right?

Or in local cookies?

However, how do I need to do this to get the correct CSFR token?

And how do I have to use it to avoid this error and e.g. add a new user in the database?

My code so far looks like this:


$url = "https://example.com/app/vanilla/api/v2/users";

// ???

$CSRF_Token = '';

$curl = curl_init($url);

curl_setopt($curl, CURLOPT_URL, $url);

$headers = array(

  "Accept: application/json",

  // replaced by an example access token

  "Authorization: Bearer {va.hdyeh^hdnjcdiernYHYNeuhe_eheyde.FGT674hYT.wyheef874}",

 // "X-CSRF-TOKEN: $CSRF_Token"


$data = array(

  'bypassSpam'   => 'false',

  'email'     => 'theo@example.com',

  'emailConfirmed' => 'true',

  'name'      => 'Theo Tester',

  'password'    => '1234567890',

  'photo'     => '',

  'roleID'     => [33]


$payload = json_encode(array($data));

// Attach encoded JSON string to the POST fields

curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);

// Set the content type to application/json

curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);

// Return response instead of outputting

curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

//for debug only!

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

$resp = curl_exec($curl);




Thank you very much for some enlightenment!!!

Sign In or Register to comment.