I need help with authenticating to a GraphQL API that’s part of a CRM system. The system uses Symphony on the backend with an AngularJS frontend, and version 8.x relies heavily on GraphQL for most operations.
When I examine the browser’s network activity during login, I can see two main endpoints being called:
domain.com/authenticate for the initial logindomain.com/api/graphql for subsequent API calls
The authentication request shows a POST method with 200 status code. The request payload contains basic credentials in JSON format with email and password fields.
I’m trying to replicate this authentication flow using different tools like n8n, Python requests, or Postman, but I keep running into issues.
When I attempt the same POST request in Postman, I get a 401 error saying “Invalid CSRF token.” This suggests I need some kind of token before I can even authenticate.
Looking at the browser’s request headers, I notice several cookies being sent:
Cookie: app_theme=modern; lang_pref=en_us; session_id=abc123def456; security_token=xyz789
My questions are:
- How do I obtain the initial CSRF token needed for authentication?
- Is this token the same as a bearer token that I can use in Postman’s Authorization tab?
- What’s the proper sequence for getting authenticated and then making GraphQL queries?
I don’t have access to official API documentation, but I can see the working AngularJS code. Any guidance on the correct authentication flow would be greatly appreciated.
yeah, def grab those cookies first! just hit the main domain with a GET request to snag the session cookies, then use them for your /authenticate POST. the CSRF token’s probably hiding in one of those cookies or the GET response headers, good luck!
This CSRF token issue is super common with Symphony CRMs. I’ve dealt with similar setups before - that security_token in your cookies is probably what you need. Don’t put it in the Authorization header though. It usually goes in the request headers as ‘X-CSRF-Token’ or ‘X-Security-Token’. Here’s what works for me: First, do a GET request to the main domain or login page to grab a session and get the initial cookies. Pull out that security_token value and stick it in your auth request headers. So your flow should be: GET for session setup → grab CSRF token from cookies → POST to /authenticate with your credentials plus the CSRF token in headers → use those auth cookies for GraphQL calls. One more thing - some Symphony setups need you to keep the session_id cookie active through the whole process, so don’t drop any cookies between requests.
Had this exact headache with a Symphony CRM last month. Here’s what finally worked for me. When you hit the main domain, Symphony embeds the CSRF token right in the HTML - not just cookies. Look for <meta name="csrf-token" content="..."> in the response body or check for JavaScript variables with token values. I had to grab this token from the HTML first, then send it as both a cookie AND header in my auth request. Token names vary but I’ve seen X-CSRF-TOKEN, X-Requested-With, and X-Security-Token work. Also - some Symphony versions are picky about Content-Type being exactly application/json with no charset. Once you’re authenticated, the session cookies work fine for GraphQL calls without needing the CSRF token again.