Please clarify: Jenkins REST API with CSRF needs crumbs for user:PASSWORD, but not user:API_TOKEN?

Question

I found that with CSRF Protection enabled, I can either issue a post request with crumbs header and using username:PASSWORD for the basic auth header:

String basic = "<username>:<PASSWORD>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Jenkins-Crumb", "<CRUMB>");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

or use username:APITOKEN for the basic auth header, in which case the crumbs header is not necessary:

String basic = "<username>:<APITOKEN>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

Question:

Is this intended usage (username:APITOKEN without crumbs header)? The documentation and existing SO answers are vague.

Using Jenkins 2.164.3 and Java 8.

Please clarify: Jenkins REST API with CSRF needs crumbs for user:PASSWORD, but not user:API_TOKEN?

0 Answers0

Linked