Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to restrict who can call an API Atlassian Service?

Claudia Ramirez
Claudia Ramirez June 25, 2022

Hello all,

 

I would like information on how to restrict who can call an API in Jira Cloud. The main issue is the we want only developers can make API calls. My understanding is that users that have permissions to do something through the UI, like create an issue, they have permissions to do that via an API call. What we want to prevent is a no-developer who have the ability to create an issue in the UI from being able to invoke that call through the API. 

Any advice on this will be greatly appreciated. 

 

Best Regards 

Claudia 

Answer
Watch
Like Be the first to like this
1135 views

1 answer

1 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 25, 2022

There's no way to do this.

Why would you want to?  What's wrong with letting people create issues when they have the permission to?

View More Comments
Claudia Ramirez
Claudia Ramirez June 27, 2022

Thank very much you for your answer @Nic Brough -Adaptavist-

It is a control that the organization's security is asking us to have. They want to prevent non-developers from invoking API calls; they can create an issue via the UI, but they would not be able to invoke the API call in any other way. At the Basic authorization for REST APIs: simple scripts and manual calls; can it be as simple as not sharing an API token and managing the API tokens granted?

Thank you! 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 27, 2022

I'd question what your security team is saying - what is the logic behind blocking the access?  What security problem would it solve?  Given that the users can do anything in the UI already, it's not going to plug any security holes.

There's still no reason to block your users using the API.  They're using it for some of the activities in Jira (the UI makes REST calls to itself in quite a lot of places)

Yes, you could "not share an API token", but you won't be able to stop people creating theim.

Like Claudia Ramirez likes this
Claudia Ramirez
Claudia Ramirez June 28, 2022

Thank you very much for your response @Nic Brough -Adaptavist-!

 

It also has to do with some performance situations, as some users can make scripts that can produce performance issues.

One question, Nic, on Jira Data Center you can administer personal access tokens as an admin, and revoke those tokens if it is needed. Do you know if on Jira Cloud you have this feature? 

Thank you very much

Claudia

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 29, 2022

Ah, ok, I had not picked up the main problem.  It's not security, it's performance.

I don't think you can do that on Cloud unless you are using Atlassian Access for the users. 

Like
Claudia Ramirez
Claudia Ramirez June 30, 2022

@Nic Brough -Adaptavist- Thank you very much. I reviewed the Atlassian Access documentation. 

I think that the simplest way to restrict the calls to REST API would be monitoring>revoking the personal tokens.

 

Thank you for your responses Nic and have a great long weekend!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 30, 2022

I know it's not what you were hoping for, but I'm glad we got you something that might be useful.

I don't have a long weekend, I'm English.

Like
Claudia Ramirez
Claudia Ramirez June 30, 2022

@Nic Brough -Adaptavist- anyway enjoy your weekend and Thanks :)

 

Cheers

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security