On page 26 of the REST API guide (https://documentation.solarwinds.com/archive/pdf/whd/whdapiguide.pdf) it shows that to upload an attachment via the REST interface, you must establish a session by passing the JSESSIONID and WOSID cookie in the header:
POST /helpdesk/attachment/upload?type=jobTicket&entityId=40&returnFields=id, uploadDate HTTP/1.1
Cookie: JSESSIONID=BA1B63AA2DD9EBBB62B7A20E37377DED; wosid=EoPFUriceH4t4jn5HiXiqg
Content-Type: multipart/form-data; boundary====1400591996857===
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.7.0_55
Host: 127.0.0.1:8081
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 2143
--===1400591996857===
Content-Disposition: form-data; name="fileUpload"; filename="my.ini"
Content-Type: null
Content-Transfer-Encoding: binary
# MySQL Server Instance Configuration File
# ----------------------------------------------------------------------... the rest of the file...
--===1400591996857===--
The Cookie header is a Forbidden Header (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name) and as such cannot be manipulated in the browser using javascript and the fetch API. This makes using a pure client side frameworks such as VUEJS (https://vuejs.org/) or REACT (https://reactjs.org/) impossible. Also, the attachment upload is the ONLY interface in the REST API that uses the session instead of directly passing the API KEY. The Attachment interface should be rewritten to either utilize the API KEY like the rest of the interfaces in the REST API do or use industry standard and implement the passing of the WOSID and JSESSIONID value via the Authorization header
