Skip to Content
Technical Articles
Author's profile photo Gourab Dey

CSRF Token Validation Failed in POST method in Gateway Client


With latest version of S/4 Hana, we get “CSRF Token Validation Failed” in Gateway client (T-code: /IWFND/GW_CLIENT). In previous version of S/4 Hana, this error were not raised when testing in Gateway client or API testing tool such as Postman. But, the latest version of S/4 Hana raises this error as it follows a stricter X-CSRF rule. Check out the note 2597429 for more information.

Issue Resolution:

  • The Cookie has to be set along with X-CSRF-TOKEN in POST request header.
  • Use Postman to test the API, as the length of the cookie may exceed 255 char. The maximum length of the module pool field is 255. Hence, we cannot set the cookie value properly in request header in Gateway Client. So, Postman is preferred.

Fetch CSRF Token and Cookie and Set in POST request:

To fetch the CSRF token, we will call a GET API. Either we can use the same OData API which we will use to push the data or we can have a separate API which can be used centrally to fetch the CSRF token and cookie.

To fetch the CSRF token, please maintain the header parameter of request as below as below. After that please click on “save”.

(Header parameter in request to fetch CSRF Token)

Once we click on the “Send” button, we will get the response as below. We can see status is “200”, which means the call is success. We can see the CSRF token and cookie has been retrieved.

(Response from GET API)

We can see CSRF token and Cookie has been retrieve. We can see 2 entries for the cookie. So, both the value has to be concatenate with semicolon “;” as separator.

Provide the CSRF token and Cookie been retrieve in previous step in post method.

We can see the data is posted successfully.


We saw how we can fetch the CSRF token and Cookie using a GET request and how to set those in the POST request. Doing so, the issues with CSRF token will be resolved.

Please follow the blog post to see how the fetching and setting of CSRF token and cookie can be automated in Postman.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Shweta Jain
      Shweta Jain

      Awesome.. Worked for us ..

      Author's profile photo Gourab Dey
      Gourab Dey
      Blog Post Author

      Hi Shweta, nice to hear it helped you.



      Author's profile photo Kisito Nzonji
      Kisito Nzonji

      Unfortunately this didn't work for me.
      Also tried disabling the CSRF Token check as described in

      But this didn't help either.
      Any Ideas what else i could be missing?

      Thanks in advance

      Author's profile photo Mohamed Salah
      Mohamed Salah


      where do i get the ZGEN_TOKEN_SRV service from ?