Hi,
I’m not sure if this is what you’re looking for, but it seems as if this post talked about that already:
When I login to my server using this API call, I do only get the token, no additional headers (that’s probably what you’re seeing):
$ curl -i -d '{"login_id":"myusername","password":"mypassword"}' https://mydomain.com/api/v4/users/login
HTTP/1.1 200 OK
content-type: application/json
token: h1mjokgq5jfn8noozmx1c16e5o
vary: Accept-Encoding
x-request-id: 9k8ce5j6ppgbudi8ej6tmc8rwo
x-version-id: 7.1.0.7.1.0-rc3.51c4691d7303fa048354e534e709415a.true
date: Fri, 15 Jul 2022 15:08:24 GMT
content-length: 713
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer-when-downgrade
But when I add an additional request header (X-Requested-With: XMLHttpRequest), things look different:
$ curl -i -d '{"login_id":"username","password":"password"}' -H "X-Requested-With: XMLHttpRequest" https://mydomain.com/api/v4/users/login
HTTP/1.1 200 OK
content-type: application/json
set-cookie: MMAUTHTOKEN=869dbg9yrbgc3yynzocrc79n7y; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; HttpOnly; Secure
set-cookie: MMUSERID=a95dgu7c5bbuik8xk5xhpdr1hc; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; Secure
set-cookie: MMCSRF=hicnidufpi8i7jfnmpiwoi3yie; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; Secure
token: 869dbg9yrbgc3yynzocrc79n7y
vary: Accept-Encoding
x-request-id: qy4i8ygu1pdwbqeewzexua7o5c
x-version-id: 7.1.0.7.1.0-rc3.51c4691d7303fa048354e534e709415a.true
date: Fri, 15 Jul 2022 15:10:28 GMT
content-length: 713
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer-when-downgrade
Is that probably what you’re looking for?