Version 0.8.14 introduces CSRF protection. This means requests to the REST interface (authenticated or not) must carry a CSRF Token or be denied. To enable usage from machine interfaces (syncthing-android, curl, etc) there is also an API key that can be enabled. The settings dialog adds a new API Key field:
The Generate button will generate a new API key.
Requests carrying an
X-API-Key HTTP header with this value will be allowed, regardless of authentication or CSRF measures. For example:
curl -H X-API-Key:628738OIUB8R62TGD6SGKMI2J888MK http://localhost:8080/rest/connections