"Errors":[ "Not authorized to perform action: Invalid key" ]
This error can be encountered for the following reasons:
Basic credentials cannot POST changes without first acquiring a security token. This process has been deprecated in the production environment in favor of using API keys, however is still necessary for sandbox environments and on-premises appliances.
If you are working within an application that has already registered a session and you try to use an API key, you may encounter the above error if the application is sending cookie data that contains authorization from your registered session. When this happens, it is effectively the same issue as sending basic credentials without a security token.
In this scenario, either disable cookies in the application/request or manually send a blank Cookie header.
An example of this scenario would be using a browser with an installed REST API client extension. You are logged into Rally in another tab in the browser and using an API key in the REST API client extension. If the browser is sending the existing cookie session data, the request may fail.
Each security token that is generated is tied to a session ID. If you do not associate the API request with the session ID, Rally assumes this is a new login and generates a new session ID. At a minimum, you must capture JSESSIONID and ZSESSIONID from the cookie of the authorization request and pass that back in the subsequent request to create, modify or delete data.
The following is an example flow in curl:
First, we call the authorization endpoint, making sure to write a cookie file
curl -b cookies.txt -c cookies.txt -u [<username>]:[<password>] https://rally1.rallydev.com/slm/webservice/v2.0/security/authorize
Next, open the cookie file and get the values for JSESSIONID and ZSESSIONID. Use thise for the [<jessionid>] and [<zsessionid>] values below respectively.
Copy the SecurityToken value from the request above and replace [security_token] in the request below
curl -H "cookie: JSESSIONID=[<jsessionid>];ZSESSIONID=[<zsessionid>]" -u [<username>]:[<password>] -H "Content-Type: application/json" -d"{\"Defect\": {\"Name\": \"Hello world\",\"Description\": \"Hello world\",\"Workspace\": \"/workspace/<Workspace OID>\",\"Project\":\"/project/<Project OID>\"}}" https://rally1.rallydev.com/slm/webservice/v2.0/defect/create?key=[<security_token>]
This scenario is actually a combination of the above two issues. Under normal circumstances, a read-only key trying to POST would result in a 401 error. However when using a read-only key in the presence of an established session it is guaranteed to try and use the credentials from the established session and will fail.
An extenuating condition where this is seen with full-access keys, is one where invalid POST operations have been attempted and subsequently the "Invalid key" response has been cached for that request by a proxy. If there is a caching proxy server in use at your location, then there is no control over that from an Agile Central perspective and you will need to work with your network team to adjust rules to prevent responses from being cached.