Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.

Yet another request for enhanced attachment support


I am aware that uploading attachments via REST API is not officially supported, still it’s absolutely crucial for our company’s in-house tools which already integrate with TestRail to be able to create attachments, too.

Here’s the use-case: using our in-house tool, QA engineers can import tests from a TestRail instance, run them locally, and upload the results (currently, statuses and comments) back to TestRail.

It would be great if they could also upload various data they collect while testing:

  • log files,
  • core dumps,
  • screen shots,
  • screen recordings, etc.

and attach those to the corresponding tests within a test plan or test run.

As far as I understand, creating an attachment for a test within a test run involves two HTTP requests:

  • an HTTP POST to${projectId}&is_upload=1 which actually creates an attachment, and
  • a subsequent POST to to reference the newly created attachment in the context of a test.

The problem is, the internal API requires that both requests have a valid session-specific token in their body, e. g.:

Content-Disposition: form-data; name="_token"

Content-Disposition: form-data; name="attachment"; filename="filename.pdf"
Content-Type: application/pdf


– otherwise TestRail responds with a CSRF protection error, while totally ignoring the Authorization header:

HTTP/1.1 200 OK
Server: Apache
Connection: keep-alive
Content-Length: 163
Date: Fri, 13 Sep 2019 13:23:20 GMT
Content-Type: application/json; charset=utf-8

{"result":false,"error":"The CSRF token is missing or invalid for this POST request.\nThis usually means that your session has expired. Please refresh this page."}


  • Is it possible to implement an additional HTTP Basic Authorization check for /attachments/ajax_add_for_test_change and /tests/ajax_add_change (similarly to the official REST API) in any of the upcoming minor updates to the version 6 (i. e. before v7 is released)? We don’t care too much whether it’s officially supported, we only need it to be useable.
  • If not – then are there any known workarounds (e. g. using any 3rd party extensions, etc.)?
  • Is implementing attachment support (via REST API) anywhere on your road map? We’d rather refrain from rolling out any 3rd party hosting services separate from our TestRail instance.

Thank you for your response.