I’m working with a CRM platform that uses Symphony as backend and AngularJS for frontend. The newer version relies heavily on GraphQL for API communication.
I want to make API calls to the backend using the same endpoints that the Angular app uses. When I check the browser network tab, I can see the authentication flow:
First call goes to example.com/authenticate
Then subsequent requests hit example.com/api/graphql
The authentication request shows:
POST request
200 response
Referrer Policy: strict-origin-when-cross-origin
Request payload contains basic credentials:
{
"user": "myusername",
"pass": "mypassword"
}
When I try to replicate this in Postman, I get a 401 error saying “Invalid CSRF token”. This suggests I need some kind of token before even logging in.
Looking at the browser request headers, I see several cookies including an XSRF-TOKEN. How do I obtain this initial token? I’m confused because this seems like a chicken and egg problem - I need a token to login, but how do I get the token in the first place?
I’ve tried using Postman, Python requests, and n8n but can’t figure out the proper authentication sequence. The CRM system is SuiteCRM if that helps. There’s no API documentation available unfortunately.
Yes, the CSRF token issue is common with SuiteCRM. Start by making a GET request to the main page or login endpoint without any credentials. This retrieves the XSRF-TOKEN cookie necessary to prevent CSRF attacks. After obtaining the token from the response cookies, include it in your authentication POST request headers, typically as X-XSRF-TOKEN or X-CSRF-TOKEN. If you’re using Python requests, utilize a session object to maintain cookie persistence, ensuring that the CSRF token is accessible for subsequent requests. Be mindful that some configurations require the token to be included in both the cookie and header simultaneously.
check your browser dev tools again - look at the very first request when you load the CRM login page. there’s probably an initial GET that sets up session cookies before anything else happens. copy ALL the headers from that request (including user-agent and referrer), then mirror them exactly in postman. suiteCRM can be picky about request origins.
Had this same issue with a different CRM last year. Most modern web apps don’t have dedicated CSRF endpoints - they generate tokens when you first load the page. Hit the main URL (like example.com or example.com/login) with a GET request first. This sets your cookies including the XSRF-TOKEN. The server drops the token in the HTML response and sets the cookie at the same time. Grab that token from your cookie jar, then use it for authentication. I had to dig through the login page’s HTML source to find the right endpoint. Sometimes tokens are buried in meta tags too, so you might need to parse the response for extra auth stuff.