XSRF Check fails when trying to create an issue

let res = await fetch(`https://placeholderurl/rest/api/2/issue`, {
        method: "POST",
        headers: {
          "Authorization": "Basic ...",
          "Content-Type": "application/json",
          "X-Atlassian-Token" : "no-check"
        body: JSON.stringify({
          "fields": {
            "project": {
              "id": "1111111"
            "summary": "haha",
            "description": "aha",
            "issuetype": {
              "id": "111"
            "priority": {
              "id": "10011101"

    let resJson: string = await res.text()

When running this code in excel’s script, i get a XSRF check failure. GET requests work fine. Additionally, the POST request works fine when running from a local .ts file.

1 Like

Hi @JustinHu

Could you please share some more details like what response/error do you see on making the POST request, what browser and OS are you using and where exactly is the script running (You mentioned you are running this code in Excel)? Can you make sure “X-Atlassian-Token” is indeed sent with the request and Excel is somehow not pruning headers?


The error I am getting is ‘XSRF check failure’ (403 failure on post)

The browser is Chrome, OS is Mac OS. The script I’m running is the one I showed above. Excel has support for Typescript scripts.

Attached is a screenshot of the request headers as shown on chrome

I think this needs further investigation. Could you please raise this as a bug ticket from our developer help portal and we will look into it? -

Probably have similar problem when using Jira API Cloud from Electron - "X-Atlassian-Token" : "no-check" does not work, I have to change User-Agent.

How did you change it? When I try to manually set user-agent in my request, it doesnt override the default. I think most browsers have this as a security feature.

You cannot change User-Agent in the browser. Electron JS has session.setUserAgent which changes User-Agent in the main process only. (fetch in the browser process uses the changed User-Agent from the main process, then). So, this solution is possible in Electron JS only.

1 Like