Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to

Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website

Question| how to auto-login in mango using parent application

  • Hi,
    As I can understand from mention link (, is that there are two ways through which we can generate token.

    Option-1: By using mango UI (No need to have XSFR-Token mechanism)
    Option-2: By calling api with XSRF-Token mechanism.


    1. is there any api through which we can directly generate (without using mango UI) the JWT (json web token), without dealing with cookies and XSRF-TOKENi.e option-2. [Desired one]

    2. If XSRF-Token mechanism is mandatory then could you share more details on how to generate XSRF-Token and relevant details regarding this.

    As we can see below are the details required if we go with Option-2, so from where we can generate the highlighted part


    NOTE: we want to auto-login in mango application from our parent application which does accept username and password in json in request body
    Thanks and Regards
    Shubham Rajvanshi

  • Hi,

    We tried using the steps, but I am getting forbidden response on the second instance as well. I am not sure if it could be the case that I am using the trial(free) Mango version.
    Following is the request and response(Even after replacing the XRSF token received in the 1st response.)

    curl -v -X POST http://localhost:8080/rest/v2/login -d 'username=DineshTech&password=test@1234' -H "Accept:application/json; charset=UTF-8" -H "Content-Type:application/json; charset=UTF-8" -H "X-XSRF-TOKEN=631baff8-d352-47f1-9421-425732ab7e33"
    "< Set-Cookie: XSRF-TOKEN=631baff8-d352-47f1-9421-425732ab7e33; Path=/
    < X-Content-Type-Options: nosniff
    < X-XSS-Protection: 1; mode=block
    < X-Frame-Options: SAMEORIGIN
    < Cache-Control: must-revalidate,no-cache,no-store
    < Content-Length: 0

    Even after the above works, we need to ensure that the UI uses the same XRSF token, so that UI is automatically logged in once API login request is success, and identify the cookie which needs updating with the XRSF token.

    Currently I have been able to successfully retrieve data sing Auth bearer(JWT) generated by Mango UI -> User Profile, see request/response below:

    curl --request GET http://localhost:8080/rest/v1/users/current -H "Authorization:Bearer eyJhbGciOiJFUzUxMiJ9.eyJzdWIiOiJEaW5lc2hUZWNoIiwiZXhwIjoxNTgyMDg0MjI0LCJpZCI6MSwidiI6MSwidHlwIjoiYXV0aCJ9.AfQ3m66nzVjAq_5GiyCLJJDcJVZSNJDoMkNt157YNmPbKV1avMH7bVq7gAmOt3hdCwlekUBahVuK-9v8J0FuSa35AbOGulOx8FGYp0ea4Qu_gZepa42fk041h8t4MHfll6CRVNuxwgKIaXWpa_U4_2N4soL2Qo6TFzcBqOXGUEuOddaz"
    ""username"": ""DineshTech"",
    ""email"": """",
    ""grantedPermissions"": [""excelReports.fileStoreWritePermission"", ""graphical.view.addView"", ""internal.status"", ""action.purgeAllPointValues"", ""SNMP_MIB_STORE_READ"", ""alarms.view"", ""reports.view"", ""graphical.view.upload"", ""filestore.user.create"", ""dataFile.compiledTemplateFileStoreReadPermission"", ""permissionDatasource"", ""dataFile.compiledTemplateFileStoreWritePermission"", ""action.log4jUtil"", ""excelreports.view"", ""legacypointdetails.view"", ""dataFile.templateFileStoreReadPermission"", ""graphical.view"", """", ""dataFileDataSourceREST"", ""watchlist.view"", ""haystack.server"", ""mailingLists.create"", ""action.purgeAllEvents"", ""users.view"", ""action.purgeUsingSettings"", ""action.sqlRestore"", ""action.excelReportPurge"", ""SNMP_MIB_STORE_WRITE"", """", ""filestore.public.write"", ""pointlinks.view"", ""action.configurationBackup"", ""permissions.user.sendToMailingList"", ""dataImport.view"", """", ""action.reportPurge"", ""permissions.user.editSelf"", ""jsonData.create"", ""permissions.superadmin"", ""dataFile.templateFileStoreWritePermission"", ""filestore.core.write"", ""action.sqlBackup"", ""excelReports.fileStoreReadPermission""],
    ""sessionExpirationOverride"": false,
    ""sessionExpirationPeriod"": null,
    ""lastLogin"": ""2020-02-18T06:24:51.644Z"",
    ""lastPasswordChange"": ""2020-02-04T07:49:00.257Z"",
    ""organization"": ""NECTI"",
    ""organizationalRole"": ""Developer"",
    ""created"": ""2020-01-29T05:20:00.045Z"",
    ""emailVerified"": null,
    ""oldHashAlgorithm"": false,
    ""validationMessages"": null,
    ""password"": """",
    ""permissions"": ""superadmin, edit-ui-menus, edit-ui-pages, edit-ui-settings, user"",
    ""locale"": """",
    ""name"": ""Dinesh"",
    ""id"": 1,
    ""disabled"": false,
    ""homeUrl"": ""/ui/administration/home"",
    ""timezone"": """",
    ""systemTimezone"": ""GMT"",
    ""muted"": true,
    ""admin"": true,
    ""receiveOwnAuditEvents"": false,
    ""systemLocale"": ""en-US"",
    ""passwordLocked"": false,
    ""phone"": """",
    ""receiveAlarmEmails"": ""IGNORE"",
    ""data"": null

    Thanks and Regards
    Shubham Rajvanshi

  • So in a nutshell... you want to use a third party application to talk to mango via the API...
    But you can't get something to work?

    I cannot see what you're trying to ask.


  • Hi Fox,

    What we are trying to do is to implement an autologin to mango. Mango UI in this case would be called from inside our our parent application.

    I believe one of the ways to achieve this is through generation of XSRF token and logging in using this token,

    I am hoping that having this token stored as a session cookie would let me login to the Mango UI application without prompting for username and password.

  • Hi Shubham

    I received a 200 response from this command the token was copied from

    curl --location --request POST 'http:/localhost:8080/rest/v2/login' \
    --header 'Accept: application/json' \
    --header 'X-XSRF-TOKEN: 8c46bb86-5d56-4738-8de3-3864ec65a0a5' \
    --header 'Content-Type: application/json' \
    --header 'Cookie: XSRF-TOKEN=8c46bb86-5d56-4738-8de3-3864ec65a0a5' \
    --data-raw '{
        "username": "admin",
        "password": "admin"

  • Thanks Craig, so as can be seen @shubham, a cookie is in fact generated and part of the header payload.