I’m trying to delete attachments from Jira issues using HTTP requests instead of the SOAP API. The SOAP API doesn’t seem to support attachment deletion natively, and I want to avoid creating custom plugins.
I found a solution that should work, but I keep getting an XSRF Security Token Missing error. The error message says that Jira cannot complete the action due to a missing form token.
I’m working with ASP.NET MVC and C#. Here’s my current approach:
public void DeleteFileAttachment(string ticketId, string fileId)
{
using (System.Net.WebClient webClient = new System.Net.WebClient())
{
// Build base URL from service endpoint
string jiraBaseUrl = _webService.Url.Substring(0, _webService.Url.IndexOf("/rpc/"));
// Create deletion URL
string deleteUrl = jiraBaseUrl + "/secure/DeleteAttachment.jspa?id=" +
ticketId + "&deleteAttachmentId=" + fileId;
webClient.Credentials = new System.Net.NetworkCredential("myuser", "mypass");
string result = webClient.DownloadString(deleteUrl);
}
}
I’ve tried passing credentials as URL parameters using os_username and os_password but still get the same token error. How can I properly handle the XSRF token requirement when making these HTTP calls to delete attachments?
Had this exact problem when migrating from SOAP to REST calls in an older Jira instance. The issue is that you’re hitting the web interface endpoint which expects browser-like behavior including proper session handling. What worked for me was switching to a two-step process: first make a GET request to any Jira page while authenticated to establish your session and capture the cookies, then use those cookies in your DELETE request along with the X-Atlassian-Token header set to “no-check”. You’ll need to replace WebClient with HttpWebRequest to properly handle the cookie container. Keep in mind this approach is fragile since it relies on Jira’s web interface which can change between versions. If possible, upgrade to a newer Jira version that supports the proper REST API for attachment deletion as it’s much more reliable.
u gotta get the xsrf token first from a GET request to jira before ur delete call. check the response headers or html for atlassian-token value and include it in ur delete request headers as X-Atlassian-Token
The XSRF token issue occurs because Jira requires a valid session and token for destructive operations. Instead of trying to work around the web interface, consider using the proper REST API endpoint for attachment deletion which was introduced in later versions. If you must use the web interface approach, you need to establish a proper session first by making a POST request to the login page, then extract the session cookies and XSRF token from the response. Include these in subsequent requests using CookieContainer with your WebClient. Alternatively, check if your Jira version supports the DELETE /rest/api/2/attachment/{id} endpoint. This is much cleaner than scraping the web interface and handles authentication through standard HTTP basic auth or API tokens without needing XSRF protection.