Same behavior (tested against locally deployed version of the mentioned REPO, and against https://todo-aerogear.rhcloud.com)

curl -3 -v -H "Accept: application/json" -H "Content-type: application/json" -X POST https://todo-aerogear.rhcloud.com/todo-server/auth/login -d '{"username":"john","password":"123"}'

==> returns "a692420-8e01-4407-88a8-7324b4cf32fe" for the Auth-Token

curl -3 -v -H "Accept: application/json" -H "Content-type: application/json" --header "Auth-Token: 4a692420-8e01-4407-88a8-7324b4cf32fe" -X GET https://todo-aerogear.rhcloud.com/todo-server/tags

HOWEVER this is not using Cookies;

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira