NOTICE: is no longer in use from 1st March 2024. Please use the OpenStreetMap Community Forum

Hi, When making calls to to update elements I am getting a "405 (Method not allowed)" response. I could swear it was working a week or so ago...

The Basic Authentication itself seems to be working - if I use a dummy user name and/or password I get a 401 Unauthorized. With the same authentication I can get the permissions using /api/0.6/permissions and they are all there. But when I go to do an actual update (opening and closing the changeset is working fine) I get the "405 (Method not allowed)". I am using PUT (as per the documentation) but I have tried using POST - same results. The response includes this header: "Allow: GET, HEAD, OPTIONS".

Using https instead of http gives the same result, so I am sticking with http for the moment for ease of debugging (with Wireshark.)

Using the same account with Potlatch has no problems - but that uses OAuth instead of Basic Auth.

Am I doing something wrong? Has updating via Basic Auth been turned off deliberately? Any ideas?

A bit background - this is how I issue requests to the server:

I am working in VB.Net using HttpWebRequest
Typical url is, using PUT, with XML payload
Basic Authentication being added like this:
                Dim cre As String = $"{Credentials.UserName}:{Credentials.Password}"
                Dim bytes As Byte() = System.Text.Encoding.ASCII.GetBytes(cre)
                Dim base64 As String = Convert.ToBase64String(bytes)
                req.Headers.Add(“Authorization”, “Basic ” + base64)
Payload written like this:
                Dim b() As Byte
                b = System.Text.Encoding.UTF8.GetBytes(sPayload)
                req.ContentLength = b.Length
                req.ContentType = "application/xml; charset=utf-8"
                With req.GetRequestStream
                    .Write(b, 0, b.Length)
                End With

asked 13 Apr '17, 20:17

csmale's gravatar image

accept rate: 16%

edited 25 Mar '18, 23:47

aseerel4c26's gravatar image

aseerel4c26 ♦


not sure if that is related: but could you mention how you are issuing the requests to the server?

Thanks for the additional info, I have merge it to your question text.

(13 Apr '17, 20:45) aseerel4c26 ♦

For testing please use the development API, see .

(13 Apr '17, 21:18) aseerel4c26 ♦

I currently get an error message when I try to upload from JOSM: Communication with the JOSM server '' timed out. ... However, I am using OAuth and Test Access Token works fine. Could it be that there is a general issue with uploads via this API?

(13 Apr '17, 23:19) Nachtspazz

Before you do -anything- more: DO NOT TEST AGAINST THE PRODUCTION API

Use one of the dev API and create objects there with the iD instance that runs on them. Further if you a planning to do a mechanical edit you need to think about following the corresponding guideline:

(13 Apr '17, 23:46) SimonPoole ♦

I have created an object in the test DB which is good enough for testing for now.

Testing on the dev instance shows different results. Despite my credentials being correct, attempting to create a changeset is giving "401 Unauthorized" (yes I know the dev credentials are separate from prod). A request to http://api06 redirects to https://master so I can't see what happens on the wire at the moment.

I can see two possible ways forward. Debugging the https stream with Fiddler, or giving up on Basic Authentication and implementing OAuth. Personally I will be happy with Basic over https, and OAuth looks like being quite a bit of work. When the authentication works again, I could also rewrite the code to use osmChange uploads instead of the regular update API, if I can't get the update API to accept a PUT or a POST.

Has anyone got some example code or an example application for a simple update (not an osmChange upload) with Basic Auth that is working today?

(14 Apr '17, 07:45) csmale

By the way, my use case is nothing dramatic, just saving me a bit of typing - small numbers of individual updates to existing objects, each individually reviewed by me. It is neither bulk, nor blind. So I am assuming that it does not fall under the scope of the Automated Edits CoC which refers to "other systematic edits to the database by other means without consideration of each change."

(14 Apr '17, 07:46) csmale
showing 5 of 6 show 1 more comments

Found the problem, thanks to Fiddler.... For debugging I was using http URLs. The server was returning a 301 permanent redirect to an https URL, which HttpWebRequest was handling automatically, resending the original request to the new location. However, the Authentication header is deliberately stripped when it follows the redirect, which makes sense when you think about it. Net result is that all the requests were unauthenticated.

So it works if I avoid the redirects by using the ultimate URL (https://master....) in the original request.

So now I have to turn off automatic redirect handling and handle it myself, but that looks pretty simple (famous last words...)

permanent link

answered 14 Apr '17, 20:42

csmale's gravatar image

accept rate: 16%

meta: thanks, so this question is solved now?

(14 Apr '17, 22:00) aseerel4c26 ♦

Yes, the question is answered for me... Sorry, is there some button I have to push to mark this question as "answered"? I am not familiar with this board, it doesn't seem to work quite the same as other forums.

(14 Apr '17, 22:39) csmale

@csmale: don't worry. There is the "accepted" button, however, that does not work for self-answered questions. I did for you now.

(14 Apr '17, 22:46) aseerel4c26 ♦

Basic Authentication should still work (e.g. JOSM supports it).

Just a vague guess: try to supply a meaningful user agent with the HTTP request. I guess you are currently using nothing or "".

permanent link

answered 13 Apr '17, 21:18

aseerel4c26's gravatar image

aseerel4c26 ♦
accept rate: 18%

Thanks for the comments so far...

I have looked at JOSMs traffic with Wireshark - after setting JOSM to use Basic Auth with http. It does indeed work, but it uses a different call - POST on <changeset>/upload with an osmChange payload whereas I am using a PUT with an osm payload. What I am doing is according to the API documentation as far as I can see...

I tried to use the dev API but the database is empty so I would have to actually write code to create an object first. All I am actually trying to do is to update a single tag.

Is the user agent seriously relevant here? Does the API behaviour change according to the user agent string?

(13 Apr '17, 21:30) csmale

@csmale: as said, the agent thing was just a guess. I do not know if there is possibly some blocking in place. Also it would not explain the 405 HTTP response. Let's wait a bit until someone more knowingly comes by.

Regarding the dev database: just add objects using JOSM.

(13 Apr '17, 21:42) aseerel4c26 ♦

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Apr '17, 20:17

question was seen: 4,655 times

last updated: 25 Mar '18, 23:47

NOTICE: is no longer in use from 1st March 2024. Please use the OpenStreetMap Community Forum