Headless Delivery API only supports BASIC AUTH?Headless Delivery API only supports BASIC AUTH?https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1187904552026-04-04T00:12:06Z2026-04-04T00:12:06ZRE: Headless Delivery API only supports BASIC AUTH?Kirk Cunninghamhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188724802020-04-07T09:19:13Z2020-04-07T09:19:13Z<div class="quote-title">Javier Gamarra:</div><blockquote><br />Headless APIs support the same auth mechanism as the portal (OAuth, session, basic). The issue there is the CSRF check, either you disable it or pass the p_p_auth token. It's briefly explained here: <a href="https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui">https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui</a>/<a href="https://www.mygroundbiz.mobi/">MyGroundBiz</a></blockquote>love it thank for the valuable information…Kirk Cunningham2020-04-07T09:19:13ZRE: Headless Delivery API only supports BASIC AUTH?Javier Gamarrahttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1187952832020-03-23T16:24:24Z2020-03-23T16:24:24ZIn a new tab, It's going to fail unless you disable CSRF checks for urls like /o/headless... or you propagate the p_p_auth token (that you already have). You are doing a request in a new tab and logged so the browser attachs the cookie identifier (so you are logged) but it doesn't send any other headers to avoid other sites trying to impersonate you.<br />If you want to call if from JS code you have to use fetch or a JS request library, Liferay.Service integrates with Java services but is not meant to be used with headless REST endpoints. You won't have to propagate anything because the request will be decorated automatically, because you will do it from a liferay loaded page (vs an API call directly).Javier Gamarra2020-03-23T16:24:24ZRE: Headless Delivery API only supports BASIC AUTH?Michael Freemanhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1187934632020-03-23T11:55:57Z2020-03-23T11:55:57ZI don't think I follow why CSRF applies here unless i am missing something. Bit that's OK ...<br />I have logged into Liferay, and am sitting on the welcome page. I type the link to the Open API YAML spec endpoint. I receive an "Access Forbidden" error. Are you saying that's always going to fail that way without a token?<br /><br />And then when i make a Liferay.Service() call in JavasSript will it handle the token acquisition automaticlaly?Michael Freeman2020-03-23T11:55:57ZRE: Headless Delivery API only supports BASIC AUTH?Javier Gamarrahttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1187910862020-03-23T10:07:45Z2020-03-23T10:07:45ZHeadless APIs support the same auth mechanism as the portal (OAuth, session, basic). The issue there is the CSRF check, either you disable it or pass the p_p_auth token. It's briefly explained here: <a href="https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui">https://portal.liferay.dev/docs/7-2/frameworks/-/knowledge_base/f/making-authenticated-rest-api-requests#using-cookie-authentication-or-making-requests-from-the-ui</a>Javier Gamarra2020-03-23T10:07:45ZHeadless Delivery API only supports BASIC AUTH?Michael Freemanhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1187904542020-03-22T20:16:04Z2020-03-22T20:16:04ZThe documentation for the REST APIs states that the APIs can be accessed by logged-in users but trying to access one of the GET based APIs in the browser after logging in results in an "Access Forbidden" error.<br /><br />It only seems to work in Postman/curl scenarios where i use BASIC AUTH to access the APIMichael Freeman2020-03-22T20:16:04Z