Open a site session by using the LWSSO token you obtained from getting authenticated.




Starting from ALM 12.60, you can restrict API access to a white-list of client types, using the RESTAPI_ACCESS_APIKEY_ONLY site parameter. This requires adding a Client-Type attribute to the header of the site-session resource. For details, see Restrict API access.

To specify a client type or timeout when creating a session, POST an XML compliant with the Session-parameters Schema.

The input XML is optional. The default values are:

  • Client type = "REST Client"
  • Timeout = 60 minutes
  • No licenses consumed

Add the QCSession cookie returned by a POST to the next request. In all subsequent requests, return the QCSession cookie returned by the previous response.

On a successful POST, the site-session resource returns an XSRF-TOKEN cookie. In all subsequent requests, include an X-XSRF-TOKEN header, having the value of the XSRF-TOKEN cookie. Failure to do so may create a security risk and make your application incompatible with other client types. See Session Management.

When a session ends, all locks are released. Therefore, if an application connects to a new session, discard all data downloaded previously. If you do not, a PUT operation can overwrite changes made by another user while the entity was not locked.

HTTP Methods

GET:  Resets the timeout clock. This extends the lifetime of the session.

PUT:  Resets the timeout clock. This extends the lifetime of the session.

DELETE:  Deletes the current session.

POST:  Creates a new session.

Media Type


No input. PUT creates default client type


No HTML body returned. On a successful POST, this request returns ALM_USER, QCSession, and XSRF-TOKEN in Set-Cookie.

One of the HTTP Return Codes.

DELETE returns cookie expiration. For example:
Set-Cookie: QCSession=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

POST returns a QCSession cookie and an XSRF-TOKEN cookie.

See Also

Session Management