Questtion: why operate API always return 403

[iambiglee]

Hello zeebe team

For some business of my company, I am trying to use zeebe.
My operatation like below

1. run docker compose up with this file : https://github.com/camunda/camunda-platform/blob/main/docker-compose/camunda-8.6/docker-compose-core.yaml. and it successful running
2. run

 $ curl -c cookie.txt -X POST 'http://localhost:8081/api/login?username=demo&password=demo'  

successful
and cookie .txt like below

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_localhost	FALSE	/	FALSE	0	OPERATE-X-CSRF-TOKEN	e0129165-5557-4d13-90bb-e31b339c4716
#HttpOnly_localhost	FALSE	/	FALSE	0	OPERATE-SESSION	5CC602E63D5959F863788E11DFEE0DA2

4. error occur when I run

$ curl -b cookie.txt -X POST  'http://localhost:8081/v1/process-instances/search' -H 'Content-Type: application/json' -d '{}'

error is

{"timestamp":"2024-08-22T13:24:13.306+00:00","status":403,"error":"Forbidden","message":"Forbidden","path":"/v1/process-instances/search"}

I'd like to know why this happen, is there any setting I missed?

[jessesimpson36]

@iambiglee you need to log in to keycloak and use that token for the operate endpoint. we have an open issue here camunda/camunda-docs#4092 to improve our documentation to include the keycloak specific curl request. the ticket also has an example you can follow.

[jessesimpson36]

Closing since this doesn't look like a bug, aside from lacking documentation.

[iambiglee]

you guys really needs improve your documents.
it is not easy to read and understand now