请说明一下。Jenkins REST API with CSRF requires crumbs for user:PASSWORD, but not user:API_TOKEN?

我发现，用 启用CSRF保护，我可以用crumbs头发出一个帖子请求，然后用 username:PASSWORD 为基本的认证头。

String basic = "<username>:<PASSWORD>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Jenkins-Crumb", "<CRUMB>");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

或使用 username:APITOKEN 的基本认证头，在这种情况下，crumbs头是不必要的。

String basic = "<username>:<APITOKEN>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

问题:

• 这是预期的用法吗（用户名：APITOKEN，不含crumbs头）？文档和现有的SO的答案都很模糊。

使用Jenkins 2.164.3和Java 8。