Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Basic auth with wrong API token returns 200OK

Zoltan Penzeli
Zoltan Penzeli
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 14, 2025

Yesterday I was experimenting with Jira's v3 REST API, but I got back a 200OK response for a request when I used the wrong Auth (token) -- and was presented with an empty result set...

It's completely non-trivial from user's perspective what's happening and what is the reason for the dataset?

Is this an Atlassian/security thing? How can I make sure I used the right API token and and I have access to the resource(s) I'm querying?

Request:

curl --location 'https://[redacted].atlassian.net/rest/api/3/project/search' \
--header 'Accept: application/json' \
--header 'Authorization: Basic something'

Response:

 

{

"self": "https://[redacted].atlassian.net/rest/api/3/project/search?maxResults=50&startAt=0",
"maxResults": 50,
"startAt": 0,
"total": 0,
"isLast": true,
"values": []
}
Answer
Watch
Like Be the first to like this
41 views

1 answer

1 accepted

0 votes
Answer accepted
Sunny Ape
Sunny Ape
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 14, 2025

Hello @Zoltan Penzeli 

If you refer to the Get projects paginated endpoint, you will see where it says "This operation can be accessed anonymously". This means that anyone can query the endpoint, without any authorisation, hence the reason for the 200 OK response.

That endpoint will only return values IF the query provides authentication, and the results returned depend on the Project permissions that user has. That too is described in the documentation.

How can I make sure I used the right API token and and I have access to the resource(s) I'm querying?

It's not clear what you mean by "the right API token". A Basic Auth API Token is associated with a user account, and it's the user account that determines if a request has "access to the resources" being queried, not the token itself. If the user doesn't have access to a resource, the request will return no results or a 401 error.

As such, there are no 'right' or 'wrong' API tokens, only 'right' or 'wrong' user permissions.

View More Comments
Zoltan Penzeli
Zoltan Penzeli
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 14, 2025

My use case here was the following:

  • created an API key
  • tried to use it via Postman - setting up "Basic Auth" with email:apikey
  • I got back the "empty" result set (see my post) + 200OK
  • I tried to "debug" the situation, after a while I realised I misspelled my email in the Auth
  • I still got back an empty result set - at this stage I still wasn't sure if my Auth details are fine or not or maybe because the scopes weren't setup properly or the whole API access on the instance is configured wrong?

Now, upon trying other endpoints (where anonymous access is not allowed), I realised that it gives error when auth details are wrong, so I was pretty "unlucky" I was sticking to trying the "/project/search" endpoint.

My point here: I've never seen a backend where using non-existing API key (a.k.a. "wrong credentials") is assumed to be an anonymous access... In my head there is a difference between "without any authorization" (no Auth header) and "using non-existing API key/wrong password". (invalid content in Auth header)

So now I know how the Basic auth works in Atlassian API, but it wasn't trivial/intuitive for me when I started my journey...

Like
Sunny Ape
Sunny Ape
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 14, 2025

Glad you've got it under control now.

I've never seen a backend where using non-existing API key (a.k.a. "wrong credentials") is assumed to be an anonymous access

I know, some of Atlassian's REST API error codes seem contradictory; why have an endpoint that can return a 401 Unauthorised error when every request to that endpoint is, in reality, authorised.

What happened was the API gave you a response that looked the same as one for anonymous access. The credentials were wrong, so no results could be returned... which is exactly the same result as if making an anonymous request.

One of the quickest ways to know if the Basic Auth API Token you're using is valid and has been applied correctly is to do a request against the Get current user endpoint. Because it doesn't permit anonymous access, you know straight away where the problem is.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security