Showing results for 
Search instead for 
Did you mean: 

Proper way to capture Session Token


Hi all,


I've noticed that there are (at least) two ways of logging onto the API and capturing the Session Token.


1) 'Login' 

POST http://<base_url>/api/core/security/login HTTP/1.1

Code Snippet:

$login_url = $base_url + "/api/core/security/login"
$body = '{"InstanceName":"' + $instance_name + '","Username":"' + $username + '","UserDomain":"' + $user_domain + '","Password":"' + $password + '"}'

000032481 - How to use the RSA Archer REST API with Windows PowerShell 

2) 'CreateUserSessionFromInstance'

POST https://<base_url>/ws/general.asmx HTTP/1.1
SOAPAction: ""

000032488 - How to use the RSA Archer Web Services API with Windows PowerShell 


What is the difference between the two? If I'm simply trying to verify an account's current password and capture a Session Token is there a preferred method?



One thing I've noticed is that 'Login' uses Domain and CreateUserSessionFromInstance does not require a domain. Is that potentially the only difference?




Archer Employee
Archer Employee

There is also a third option with the CreateDomainUserSessionFromInstance‌ method uses a Domain parameter.


The end result is no difference.  Once you have a session token, you can make API calls to Web Services or REST API.  To me, it comes down to personal preference of the developer.


The only time you would have to use the Web Services methods is if the Allow Manual Bypass option is not enabled in the Archer Control Panel and Single Sign-On Mode is set to Windows Integrated.

ACP - Allow Manual Bypass 3.png 

Thanks for the info Jeff!



Hi Jeff,


How about SSO with SAML 2.0 and manual bypass enabled. 

User would like to get the session token using the SSO with out providing the password

so how can we capture the session token with API in this case