This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit

eZ Community » Forums » eZ Publish 5 Platform » REST API and authentication

REST API and authentication

REST API and authentication

Tuesday 07 July 2015 8:56:17 am - 1 reply


I am using AJAX to make some REST calls. But I do not understand how to manage the authentication. I read the REST documentation and from what I understand with session based authentication, when the user is logged in his session is re-used to make REST calls. 

I extended the REST API to add some custom functions so the user can add contents to their favorites, list all favorites and remove favorites. In production, the user will be connected to the front end and should be able to simply click a button to add the content to its favorites.

GET methods work well but the problem is with POST methods like "add" and "remove". When I try to make a call from the front end, I always get the 401 Unauthorized response even if I am logged in as admin.

When I am logged in to the front end, I only see the "eZSESSID" cookie. The "is_logged_in" cookie is not here anymore. But when I delete the eZSESSID cookie, all my ajax calls succeed...

Here is my simple ajax call :


url: '', 

method: "POST", 

data: {contentId: 50, userId: 14}


I use eZ Publish 5..4 EE and I modified the security.yml as recommended.

Does anybody know what I am doing wrong?

If you need more details, please do not hesitate.

Thank you.

Modified on Tuesday 07 July 2015 8:56:57 am by Julien Montavit

Thursday 09 July 2015 11:08:37 am

Answering my own question in case it can help somebody :

First you have to create a session for the user (at page load for example) by requesting /user/sessions/ with the appropriate data/headers as described in the documentation.

Example of an ajax call to create a session :

Then you must store the returned CSRF token and use it for your next calls.

Example of an ajax call to get user information :

Note : using eZ Publish 5.4 EE, there is an issue (I think it's fixed in the 2015.01) when a previous/invalid session cookie is already present. So you must delete it. And if you try to create a session but there is already an existing one, the call will return a 401 Unauthorized error (which is kind of strange imo). So you should use the refresh session call.

I don't know if it is the right way of doing but it works well enough.

Modified on Thursday 09 July 2015 11:18:53 am by Julien Montavit


You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from