JSON-RPC API request returns WebSudoRequiredException on Confluence

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Attempting to access administrative actions through the JSON-RPC API fails with an authentication error.

Environment

  • Confluence 7.7 and newer

  • Server or Data Center

Diagnosis

  • Authentication details are correct

  • An admin account is being used to authenticate the request

  • The request body is correct

  • You are testing an administrative request like rpc/json-rpc/confluenceservice-v2/addUserToGroup

  • The response is:

    1 The application was unable to serve your request: com.atlassian.confluence.rpc.WebSudoRequiredException

Cause

A change in Confluence 7.7 added the requirement for websudo when running administrative requests through the JSON-RPC API.

Solution

Option 1 - Disable secure administrator sessions

To turn off secure administrator sessions:

  1. Go toGeneral Configuration > Security Configuration

  2. SelectEdit.

  3. UnderSecure administrator sessions, uncheck theEnablecheckbox.

  4. Saveyour changes.

This will skip the WebSudo check and allow you to run the JSON-RPC calls successfully.

Option 2 - Use Postman's Interceptor add-on to pass the session cookies from the browser to the request in Postman

Alternatively, if you want to keep the Secure Administrator Sessions enabled on your site, then you can install Postman's browser extension calledPostman Interceptorand link it to your Postman app so that cookies from the browser can be synced to Postman. Instructions can be found in Postman's documentation below:

The idea is that you must first pass the WebSudo login in the browser where Postman Interceptor is installed. When you make the JSON-RPC call via Postman, it'll pick up the cookies stored in the browser for that domain and authenticate you successfully.

Option 3 - Use REST or XML-RPC API instead of JSON-RPC

As described in the documentation, REST and XML-RPC are not affected by websudo. To use XML-RPC, enable it onGeneral Configuration > Further Configuration > Remote API (XML-RPC & SOAP).

Updated on February 25, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community