I'm experimenting with the TeamCity API with Postman. When doing POST and PUT requests, you're required to supply Authorize header with a token that's permanent, and also a X-TC-CSRF-Token header, that has to be requested in a previous call.
This works fine in for example Powershell. But in Postman I get 403 because the CSRF tokens doesn't match. According to the documentation:
When considering HTTP request safety from the TeamCity perspective, the following checks are sequentially made:
- If an HTTP request has a secure CSRF token either in the parameter or in the HTTP header and this token matches the one stored in user session, it is considered safe.
- If an HTTP request is a non-modifying one (such as GET ), it is considered safe.
My guess is that it fails on user session not being the same in both Postman requests. Even though I've set it up in a pre-request script. Or maybe cookie related as noted here.
I've looked around Postman settings but haven't found anything obvious to change. Any ideas?
