When attempting to trigger Jenkins jobs via curl commands, the 403 Forbidden error typically indicates authentication or authorization failures. The issue persists even when using:
- Basic authentication with username:password
- Job-specific build tokens
- API tokens for Jenkins users
For Jenkins 2.73.3 and later versions, these approaches have proven reliable:
Method 1: API Token with Crumb (CSRF Protection)
# First obtain the crumb
CRUMB=$(curl -s --cookie-jar /tmp/cookies -u username:api_token \
'http://jenkins/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
# Then trigger the job
curl -X POST --cookie /tmp/cookies -H "$CRUMB" \
-u username:api_token http://jenkins/job/job_name/build
Method 2: Personal API Token with Build Token Root Plugin
First install the Build Token Root Plugin, then:
curl -X POST http://jenkins/job/job_name/build?token=YOUR_BUILD_TOKEN \
--user username:api_token
- Ensure "Anonymous" has no overall read permissions
- Verify the authenticated user has Job/Build permissions
- Check "Enable security" is configured under Manage Jenkins > Configure Global Security
Add these flags to your curl command for better diagnostics:
curl -v -X POST ... # Show verbose output
curl --trace-ascii debug.txt ... # Save detailed trace
For more complex scenarios:
# Using API with JSON payload
curl -X POST -H "Content-Type: application/json" \
-d '{"parameter": [{"name":"param1","value":"value1"}]}' \
http://jenkins/job/job_name/build?token=TOKEN
# Remote access API (requires proper permissions)
curl -X POST http://jenkins/job/job_name/buildWithParameters \
--user username:api_token \
--data delay=0sec \
--data token=YOUR_TOKEN
- Never store credentials in plaintext scripts
- Use Jenkins Credentials Binding plugin for secure credential management
- Consider IP whitelisting for remote triggers
- Rotate API tokens periodically
When trying to trigger a Jenkins job remotely using curl, the 403 Forbidden error typically indicates an authentication or authorization issue. This can occur even when you've set up authentication tokens or API tokens correctly. Let's explore the most reliable methods to solve this.
Jenkins offers several ways to authenticate remote API calls:
1. Using Basic Authentication with API Token
The most reliable method combines username and API token:
curl -X POST -u "username:api_token" http://jenkins.example.com/job/your_job/build2. Using Build Token Root Plugin
If you've installed the Build Token Root plugin, you can use:
curl -X POST http://jenkins.example.com/buildByToken/build?job=your_job&token=YOUR_TOKENCSRF Protection
Modern Jenkins versions have CSRF protection enabled by default. You need to either:
- Disable it in Jenkins configuration (not recommended)
- Include the CSRF crumb in your request:
CRUMB=$(curl -s 'http://username:api_token@jenkins.example.com/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl -X POST -H "$CRUMB" -u "username:api_token" http://jenkins.example.com/job/your_job/buildPermissions Configuration
Ensure your Jenkins user has:
- Overall Read permission
- Job Build permission
Here's a full example that works with CSRF protection:
#!/bin/bash
JENKINS_URL="http://jenkins.example.com"
USERNAME="your_username"
API_TOKEN="your_api_token"
JOB_NAME="your_job"
# Get CSRF crumb
CRUMB=$(curl -s "$JENKINS_URL/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,\":\",//crumb)" \
--user "$USERNAME:$API_TOKEN")
# Trigger the build
curl -X POST "$JENKINS_URL/job/$JOB_NAME/build" \
-H "$CRUMB" \
--user "$USERNAME:$API_TOKEN"If curl continues to be problematic, consider using the Jenkins CLI:
java -jar jenkins-cli.jar -s http://jenkins.example.com build your_job -remoting -auth username:api_token- Check Jenkins logs (
/var/log/jenkins/jenkins.log) - Enable verbose output in curl with
-vflag - Test with Postman or similar tools to isolate the issue