Please clarify: Jenkins REST API with CSRF needs crumbs for user:PASSWORD, but not user:API_TOKEN?

问题

I found that with CSRF Protection enabled, i can either issue a post request with crumbs header and using username:PASSWORD for the basic auth header:

String basic = "<username>:<PASSWORD>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Jenkins-Crumb", "<CRUMB>");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

or use username:APITOKEN for the basic auth header, in wich case the crumbs header is not necessary:

String basic = "<username>:<APITOKEN>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

Question:

• Is this intended usage (username:APITOKEN without crumbs header)? The documentation and existing SO answers are vague.

Using Jenkins 2.164.3 and Java 8.

来源：https://stackoverflow.com/questions/56138723/please-clarify-jenkins-rest-api-with-csrf-needs-crumbs-for-userpassword-but-n