Andrew Fletcher published: 16 May 2022 (updated) 19 May 2022 1 minute read
To get the X-CSRF token, first, you need to login as a member. Follow the steps outlined under User options - login, logout and user details.
Calling a query
The query string is: {domain}/rest/session/token
See the notes on set-up, for the staging and production URLs. Using the current staging URL in the set-up screen, as an example of the query string using the following criteria
Replacing the following variables:
- {domain} ~ your-site.com
https://your-site.com/rest/session/tokenNote, in Drupal 9 the path above doesn't work anymore. Instead use session/token as follows:
https://your-site.com/session/token
Headers
Do not send any headers in this query.
Example of the body output
X-2tk2nOwtKtrgJjxCfeyNwfayP25X9IdPUnW4D9ScU
Related articles
Andrew Fletcher
•
09 Jan 2026
Upgrading Drupal from 10.6.x to 11.3.2: a practical, dependency-driven walkthrough
Upgrading from Drupal 10.6.x to 11.3.x is officially supported, but in real projects it’s rarely a single command. The friction usually comes from **Composer constraints**, not Drupal itself.This article documents a real-world upgrade path from Drupal 10.6.1 → 11.3.2, including the specific blockers...
Andrew Fletcher
•
04 Apr 2025
Managing .gitignore changes
When working with Git, the .gitignore file plays a critical role in controlling which files and folders are tracked by version control. Yet, many developers are unsure when changes to .gitignore take effect and how to manage files that are already being tracked. This uncertainty can lead to...
Andrew Fletcher
•
26 Mar 2025
How to fix the ‘Undefined function t’ error in Drupal 10 or 11 code
Upgrading to Drupal 10.4+ you might have noticed a warning in their code editor stating “Undefined function ‘t’”. While Drupal’s `t()` function remains valid in procedural code, some language analysis tools — such as Intelephense — do not automatically recognise Drupal’s global functions. This...