302 Status code sending any REST API call for Contact, Account or Case management

I'm calling REST api of Contact ,Account and Case management for CRUD operation. I'm calling Creatio CRM REST from WSO2 EI. It is identical the Request which is send from the Postman or Rest Client.

But it gives 302 Status for WSO2 EI calling the  Creatio REST while it gives 403 for Postman or Restclient If BPMCSRF header doesn't contain cookie value.


If the BPMCSRF header value contains correct cookie value from the Login request, Postman or Restclient gives 201/200 for success operation and WSO2 EI gets same 302 response.  Login API call working fine from the WSO2 EI. 


Sample Request from WSO2 EI

"POST /0/odata/Account HTTP/1.1[\r][\n]"
"Accept: application/json;odata=verbose[\r][\n]"
"X-Requested-With: XMLHttpRequest[\r][\n]"
"ForceUseSession: true[\r][\n]"
"Content-Type: application/json[\r][\n]"
"Content-Length: 228[\r][\n]"
"Host: 103594-crm-bundle.creatio.com[\r][\n]"
"Connection: Keep-Alive[\r][\n]"
"User-Agent: Synapse-PT-HttpComponents-NIO[\r][\n]"
"{"Name":"API Test","AccountId":"e6574af1-3e92-4099-958e-e798f52ee016","JobTitle":"Marketing manager","BirthDate":"0001-01-01T00:00:00Z","Phone":"","MobilePhone":"+1 213 566 34 22","Email":"test@gmail","Completeness":30,"Age":19}"

Sample Response from Creatio 


"HTTP/1.1 302 Found[\r][\n]"
"Server: nginx/1.14.1[\r][\n]"
"Date: Thu, 16 Sep 2021 06:21:05 GMT[\r][\n]"
"Content-Type: text/html; charset=utf-8[\r][\n]"
"Content-Length: 170[\r][\n]"
"Connection: keep-alive[\r][\n]"
"Cache-Control: private[\r][\n]"
"Location: /Login/NuiLogin.aspx?ReturnUrl=%2f0%2fodata%2fAccount[\r][\n]"
"X-AspNet-Version: 4.0.30319[\r][\n]"
"X-Powered-By: ASP.NET[\r][\n]"
"X-Frame-Options: SAMEORIGIN[\r][\n]"
"X-Content-Type-Options: nosniff[\r][\n]"
"<html><head><title>Object moved</title></head><body>[\r][\n]"
"<h2>Object moved to <a href="/Login/NuiLogin.aspx?ReturnUrl=%2f0%2fodata%2fAccount">here</a>.</h2>[\r][\n]"


Like 0



It means that you are not authenticated properly in the application (see location part  "/Login/NuiLogin.aspx?ReturnUrl=%2f0%2fodata%2fAccount", you were redirected to the login page). You need to check all the cookies that are passed to the OData request that you send and compare it with cookies you get in Postman + perform more tests to see which cookie set will result in a successful call.

Oscar Dylan,

If the authentication error, it should be 401 or 403 status. But here it is always redirect to login page with 302. verified the headers from Postman and client app both, those are identical. 



That is correct - the resource was found, but you need to authenticate first (once again, pay attention to the location path /Login/NuiLogin.aspx?ReturnUrl=%2f0%2fodata%2fAccount). The system automatically redirected you to the login location.

 In Postman you receive 200 OK to the request, but before it you receive 302 response (can check in the Postman console):

Hi Oscar,


Thank you very much for the information, but still I'm confused authentication approach. This is what I'm doing.


When I get 302 for Contact endpoint, then I perform the authentication to  auth endpoint  POST call <Creation-app-host>/ServiceModel/AuthService.svc/Login with the body [1]. Then I see cookies details in the response with BPMCSRF cookie with 200 response.  Then I send again the Contact endpoint with those auth cookies, [2]  are the headers which I send to Contact endpoint again. But still same 302 redirection is there even after successful authentication. 


Could you please help me on this.

--- does the above approach wrong

--- does the auth headers wrong mentioned in [2]


If above approach wrong, please help me to find request format from the client application to complete the successful Contact create through the  client.


[1] body



[2] . Headers


Accept: application/json;odata=verbose[\r][\n]"
"BPMCSRF: cvHrL0GEHYdswl1QZh8Ie.[\r][\n]"
"ForceUseSession: true[\r][\n]"
"Set-Cookie: .ASPXAUTH=F82E.... "
"Set-Cookie: BPMCSRF=cvHrL0GEHYdswl1QZh8Ie."

"Set-Cookie: BPMLOADER=zchmt5tlzildsx22zlle1wnk"
"Set-Cookie: UserName=93|117|112|101|114|118|105|115|101|114"
"Content-Type: application/json; charset=utf-8[\r][\n]"
"Content-Length: 228[\r][\n]"
"Host: 103594-crm-bundle.creatio.com[\r][\n]"
"Connection: Keep-Alive[\r][\n]"
"User-Agent: Synapse-PT-HttpComponents-NIO"


Hi Anusha,


Unfortunately you have to run test and find a way to pass the cookies to the request properly in terms of your integration. For example I have this cookie header in Postman:


BPMSESSIONID=xjjysy25na5ig5sqbgdyxd14; visid_incap_2180455=49BJJNmNT1uK2vo4spt1YM3yQWEAAAAAQUIPAAAAAAB7xEOk/CkixDKkf1pVpwRW; .ASPXAUTH=0129CAB95F4B3C753B6B00E3BBC7F15E9F0CF094A9209DCC541E033D963163699488F8A6AF3F3F845BABCA582CE603AD00E4AC3EE005216347F4B399235033BF60A3338158451099DEC44FE8B1920F57398E4439EE170B436C75FF3BA3BFC2C28BF8BCCB6D37261D9942F97133800DFEED491B8C8671824183CF9CD2CC20549B5BF672599D3F9CAD151E6F4C92A95C7FC888E4214039842D8B53E540D03495542D8C60B238BA9759FFAE27920E7688D35C92795D59741A8D0E5B34234C6DCC769F79A176BF63CCA190D0BEC19A8ACF3793A6522866BF14A14092474BBA68D100282CE8CB6DAB3C8041DB7544EABD759617446687311CE784129E88BE2558CE2917C790372F214D6E8D05B630B789F0D37E4EBB60E06A6B0C20FE075ED78960211A017F115D32F53B2D76E9B2AF302EC3887E47FE421CA76D246B0FCD8260B25380BED735F19C87C0545187841709C5A75B5547CDF43D52304C9D4760C8E625F7DA674A74; BPMCSRF=ulHtF40aiiRNzRWk5BMTWO; BPMLOADER=mnbxfikelfxqnnl2iz0aiobd; BPMSESSIONID=xjjysy25na5ig5sqbgdyxd14; UserName=83|117|112|101|114|118|105|115|111|114


And I guess all of them should be also passed to your request. This is not something that can be solved on the community, you need to test your integration authentication to find a correct way.


Also check if your authentication in terms of your integration is configured in the similar way to the one explained here.

Hi Oscar,


Thanks for the information. I will check further.


Thanks & Best Regards


Show all comments