I’ve read that you don’t need to supply X-API-Key when using the post methods of the Rest API, i only really have use for the Events API which is a get method, I’ve tried connecting to it using Chrome,Edge and C#s’ HttpClient all showing the same CSRF error, i went into the Syncthing config file and copied the CSRF token and attached it to the request (X-CSRF-Token) to no avail, this is how i perform my request
127.0.0.1:8384/rest/events?since=0&X-API-Key=abcd&X-CSRF-Token=XXXX
Sorry if this was worded poorly and/or the answer is obvious.
The API key is needed (afaik for everything when not using user/pw) and needs to be a header, not in the URL. The csrf token is only for subsequent requests when using user/pw.
To use the POST methods, or any method when authentication is enabled, an API key must be set and used.
user
Set to require authentication.
retrieved from the documentations.
as i didn’t set the user/pw i thought i didn’t need to apply the key.
also the error threw me off, i think it is counter-intuitive to show me an CSRF error.