#Unauthorized SANtricity API calls

Would anyone have experience around API scripting? I'm trying to gather information for a list of E-series controllers and I'm authorising with 'admin' using "https://$($array.ip)/devmgr/utils/login".
Some calls work as expected, for instance "https://$($array.ip)/devmgr/v2/storage-systems/1/local-users/info".

adminPasswordSet minimumPasswordLength

        True                     8

But others, like "https://$($array.ip)/devmgr/v2/storage-systems/1/settings/sessions", just return "HTTP ERROR 401 Unauthorized". I know that my credentials are ok because of other calls working, so there must be something else.

One thing I noticed was that the calls that don't work give me this while I try to open them in a browser (authenticated of course).

{"errorMessage":"A valid XSRF token is required to prevent cross-site request forgery, but the token was missing or invalid.","developerMessage":null,"localizedMessage":"A valid XSRF token is required to prevent cross-site request forgery, but the token was missing or invalid.","retcode":"xsrfTokenInvalid","codeType":"devicemgrerror","invalidFieldsIfKnown":[],"category":"authorization","errorCode":"xsrfTokenInvalid","description":"A valid XSRF token is required to prevent cross-site request forgery, but the token was missing or invalid.","developerMessage":null}

Why would just some calls require the XSRF token? Is there any way around this? All suggestions are appreciated. 😊

Well, after some more testing the solution was quite simple. Don't authenticate using the API (/devmgr/utils/login). In PowerShell I instead just did a simple get-credential to file and then used that when authenticating each call.

@small nebula I have the same issue,
Do I need to POST "/access-token/settings" to update the maxDuration?
Or how to fix that issue?