Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Headless Restore from XML using cURL Edited

I am a developing an automated deploy/test workflow that evaluates various applications (run in docker containers) against our company's internal requirements. 

This workflow is tied to the release page RSS feed, and runs each time a new version of Crowd is available.

Essentially, my requirements are to bypass the setup wizard and have a way to restore from an XML backup without a user ever needing to interact with the UI. 

I have made some progress using cURL, but get a token error on the request and a 'parameter name blocked' warning in the logs.

Anyone done this successfully?

Thank you!

1 answer

1 accepted

1 vote
Answer accepted
Dawid Owoc Atlassian Team Dec 21, 2020

Hello @Bradley Reimers

Making POST requests using curl to automate Crowd's setup flow sounds like a good plan.

The token error you're referring to is most probably atl_token that is normally passed with a form data when you submit a form in each setup step using your web browser. This token prevents XSRF.

In your POST requests from curl, you can disable verification of this token by adding a following header:

X-Atlassian-Token: no-check

Disclaimer: possibility to disable token verification by adding this header does not allow XSRF because browsers do not allow adding additional headers to POST requests which they make when you submit a form. XSRF is also not possible for cross-origin AJAX requests because of CORS.

When comes to parameter name blocked message in the logs, it's not related to the aforementioned XSRF token. This log entry is raised when you make a request which contains a query parameter that does not match a following regular expression:


You shouldn't need to pass such query param. Could you share with us what parameter is causing that? The parameter's key should be visible in the logs.

Here's an example POST request using curl to submit the first setup step (License):

curl -XPOST -H 'X-Atlassian-Token: no-check' --data-urlencode "sid=${SERVER_ID}" --data-urlencode "key=${LICENSE}" 'http://localhost:8095/crowd/console/setup/setuplicense!update.action'


  • ${SERVER_ID} - Crowd's server ID. It can be obtained from ${CROWD_HOME}/shared/crowd.cfg.xml
  • ${LICENSE} - your Crowd's license key

Next steps in the setup flow can be submitted analogically.

Best wishes,
Dawid Owoc (Junior Developer at Atlassian)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

Announcing Team Calendars in Confluence Data Center

Hi Community! We're thrilled to share that Team Calendars for Confluence is now a built-in feature for Confluence Data Center releases 7.11 and beyond.  A long time favorite,  Team Cale...

113 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you