I am working on a script to bulk complete tasks, the following is a relevant code snippet:
req.body = JSON.stringify({
"done" : true,
"task_ids" : [
531,
532]
});
Output:
{"message":"missing, malformed, expired or otherwise invalid token provided"}
If anyone could send help I would be very grateful 
The error message states that your authentication token is not set correctly. Did you create an API token and are sending this along with your request?
I’ll share my (sanitized) script below, I use the same api key for other scripts with no problem. I will go ahead and generate a new key for testing this though and report back tonight!
Full (sanitized) script:
const url = 'https://my.site.tld/api/v1/tasks/bulk';
var test = url
var req = new Request(test);
req.method = 'POST';
req.body = JSON.stringify({
"done" : true,
"task_ids" : [
531,
532]});
req.headers ={
'Authorization': 'Bearer my_api_key_here'
};
var result = await req.loadJSON();
console.log(result)
New API token has the same result. I am running on the Unstable build to get tosoist migrated, I can update to latest and retest later on.
The same happens when running a simple request using Postman against the try instance, so it doesn’t seem to be version related. It seems to be related to the use of API tokens.
When using the login endpoint to obtain a JWT token (you need the username and password of a user though which obviously defeats the purpose of using API tokens) and running the same bulk update it works fine.
I’m afraid I won’t be able to help much more 
Totally okay! I’ll post an issue on git, see if that gets more eyes on it. Mostly wanted to make sure I wasn’t missing something, also included:
'Content-Type': 'application/json'
In my headers to the same result doing blind troubleshooting. 
Could you share a script for login? Trying to form one but my brain is fried.
I’m reasonably certain it has something to do with JWT / user tokens vs API tokens, because it does work when using the JWT token. I’m not using a script, I’m using postman. Its essentially like this (the variable base_url is set to https://try.vikunja.io/api/v1):
And then simply using this token to do the same request you have in your script, just with different task IDs:
I just built a python script that runs a login request and uses the token for my bulk change, thank you for the help, I just wanted to get something built for personal use so this totally works for me! Can share if anyone needs it!!
Looks like the permissions are not checked properly for the bulk endpoint (this kinda makes sense when considering how it works under the hood). I’ll take a look
Is this still a problem with the latest unstable build? I was unable to reproduce the problem with an api token with the task update permission.
I’ve used this curl command:
curl 'http://localhost:3456/api/v1/tasks/25' -H "Authorization: Bearer $BEARER" -H 'Content-Type: application/json' --data-raw '{"task_ids":[9,22],"done":true}'Tried via curl, python, and JS, none work, running Version: v0.23.0-748-e4b369009a, which I thought was the latest unstable(preformed docker compose pull etc prior to testing.
{"message":"missing, malformed, expired or otherwise invalid token provided"}
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
This is the only api call that does not seem to work with my API key, but it works fine with the JWTAuth still FWIW
tried testing with the --location flag after @Wasabi response and got the same message (shows my knowledge about curl) with the same result.
@kolaente you’re not using the /bulk endpoint, you’re specifying a task id in the URL. Wondering how it even behaves in this case?
curl --location 'https://try.vikunja.io/api/v1/tasks/bulk' --header 'Content-Type: application/json' --header 'Authorization: $BEARER' --data-raw '{"task_ids":[9,22],"done":true}'
{"message":"missing, malformed, expired or otherwise invalid token provided"}
My bad, seems like I didn’t pay attention to the correct url.
I’ve pushed a fix for this in 8b028dbc4b, please check with the next unstable build (should be ready for deployment in ~45min, also on try).
The bulk endpoints now show up when creating an api token under their “parents”, meaning “Bulk task update” will show up under “Tasks” as “Update Bulk”. You’ll need to recreate an api token but then it should work as expected.
get a new error!! 
here is my build out
{
"url": "https://tasks.SCRUBBED.TLD/api/v1/tasks/bulk",
"method": "POST",
"headers": {
"Authorization": "Bearer tk_Udated_API_Key"
},
"body": {
"task_ids": [
531,
532
],
"done": true
},
"timeoutInterval": 60,
"response": null,
"allowInsecureRequest": false
}
And results with:
{
"message": "Need at least one tasks to do bulk editing.",
"code": 4004
}
I attempted to add an id: 531 to see if it needed an id to springboard off of, but got the same result
By this do you meant that the tasks have to be a child of another task (ie, the single id in the request) or do you mean this is how the API is structured? just want to make sure I understand so I can utilize this the best way possible
IIRC you must specify a Content-Type: application/json header, otherwise Vikunja won’t try to parse the payload as json.
No, this is only about how the api is structured. You can see it when you create an api token.
