Authenticating with a GraphQL API: Token retrieval methods for different tools

avamtz · April 16, 2025, 11:44pm

Hey everyone, I’m working with a CRM that uses Symphony and AngularJS. The new version relies heavily on GraphQL for the frontend.

I’m trying to make API calls directly to the backend, but I’m stuck at the login step. In my browser, I can see the network requests:

POST to /login with username and password
Subsequent calls to /api/graphql

When I try to replicate this in Postman, Python, or n8n, I get a 401 error: “Invalid CSRF token.”

I’ve noticed some cookies in the browser request:

sugar_user_theme=suite8
ck_login_language_20=en_us
ck_login_id_20=1fb445cf-beb5-8516-e1c7-667d0c65d69e
ck_login_theme_20=suite8
LEGACYSESSID=eru2qr049asl1j2lce92ctqc5d
PHPSESSID=5kic2vltncem33iann1gg1mh6f
XSRF-TOKEN=WAdBVrC1HOFzxAkzuoWMFY-5YgssbvtfSZWxx4xzJgc

Are these the tokens I need? How do I get them for my API calls? Any help would be awesome!

Neo_Stars · April 24, 2025, 7:47am

I’ve dealt with similar authentication issues when working with GraphQL APIs. From my experience, the XSRF-TOKEN cookie is crucial for preventing cross-site request forgery attacks. You’ll need to include this token in your request headers.

For Postman, try adding a header ‘X-XSRF-TOKEN’ with the value from the XSRF-TOKEN cookie. In Python, you can use the requests library to handle cookies automatically. Make sure to use a session object to maintain cookies between requests.

For n8n, you might need to implement a custom authentication method. First, make a request to /login to get the cookies, then extract the XSRF-TOKEN and use it in subsequent requests.

Remember, some APIs also require you to send the cookies back with each request. You might need to include PHPSESSID and LEGACYSESSID as well.

If you’re still having trouble, check if the API documentation mentions any specific authentication flow for external tools. Sometimes, there are separate endpoints or methods for programmatic access.

ClimbingLion · April 22, 2025, 5:38pm

yo, if ur stuck, grab the xsrf-token from login and pass it in ur x-xsrf-token header. also send phpsessid and legacysessid cookies. sometimes apis need extra auth for non browser access. good luck!

sophiac · April 22, 2025, 10:48am

Having worked with GraphQL APIs in various projects, I can share some insights on authentication. The XSRF-TOKEN is indeed crucial, but don’t overlook the session cookies like PHPSESSID and LEGACYSESSID.

For your API calls, you’ll need to mimic the browser’s behavior. Start with a POST request to /login, capturing all returned cookies. Then, for subsequent GraphQL requests, include these cookies and add the X-XSRF-TOKEN header with the value from the XSRF-TOKEN cookie.

In Python, using a requests.Session() object can handle cookie management automatically. For Postman, you might need to manually set the cookies and headers after the login request.

If you’re still encountering issues, check if the API requires additional headers or has specific requirements for external access. Some systems use different authentication methods for programmatic interactions versus browser-based access.