Jira API - "Client must be authenticated to access this resource."
Hi, I'm a developer working on a Jira API integration for my organization that uses the cloud version of Jira. The eventual goal is to be able to occasionally create issues through the API but for now I'm just trying to get basic authentication working. (I really would prefer to avoid having to implement OAauth 2.0 if possible because the scope of necessary work there seems well beyond the basic need here)
I've been starting off by building some basic API calls in Postman, but I'm having a hard time getting Basic Auth working. Basically every call I've tried making has given me its version of an Auth error.
I've had this issue with other calls like creating issues and viewing issues, but to narrow the scope let's take this basic "myself" API call, and assume that the usual namespace for our org is jira.cloud.xxxx.com:
https://jira.cloud.xxxx.com/rest/api/3/myself
If I'm already logged into Jira in my browser, I can go to this link and it will work perfectly fine, giving me JSON about my current user. So I know this path works, and now I want to make the same call through postman.
I know that for Basic Auth, I need to have it send a combination of my email and my API token which I got from https://id.atlassian.com/manage-profile/security/api-tokens. I've tried going to the Authorization tab, picking Basic Auth, entering my email for the Username, and my API key for the password. When I make the GET API call to that same path, but from Postman with my Basic Auth, I get the following error message:
Client must be authenticated to access this resource.
I know I can also BASE64 encode the combination of my email + semicolon + apikey and put it after the word "Basic" as the value for an "Authorization" header, but it seems like doing it through the Postman UI does the exact same thing; I confirmed the value it's building is the same as if I built the header manually, and tried manually doing it a few times instead instead of doing it through the UI for good measure, no difference.
I tried both with regular and scoped API tokens (for the scoped one, I just gave it every granular permission for editing or inserting issues), and tried both the UI and manual encoding ways for sending the Basic Auth header, and had no difference.
I've also tried changing the 3 in the URL to a 2 just in case, no difference there either.
I thought well, I'm not an admin at my Org, maybe I need to be an Admin? So I was given admin permissions, recreated both my regular and scoped API tokens, no dice. I also had our Jira admin try generating an API token and tried with their email + token, no dice. I had another developer doing the same thing on their end, no dice.
I've tried searching for this error online, but the only things I can find are just people not sending the API Tokens properly. I tried following a step-by-step youtube tutorial for this stuff and they just breeze past this part with no issues in their environment. Either I'm missing something obvious, or there's something about my org that isn't playing nice with the API calls, but I really wouldn't know where to start in that case.
Any advice or ideas would be greatly appreciated!
3 answers
1 accepted
Hi, @Shea Prewett
Try sending hashed email:password in headers. It will help.
Like this:
In my scripts in Python I use such code snippets for ordinary and admin API:
# Atlassian REST API headers
base64_credentials = base64.b64encode(
f"{cloud_api_email}:{cloud_api_token}".encode()
).decode()
headers = {
"Authorization": f"Basic {base64_credentials}",
"Content-Type": "application/json",
}
admin_headers = {
"Authorization": f"Bearer {cloud_admin_api_token}",
"Content-Type": "application/json",
}
Here's a screenshot with the Authorization tab set to "No Auth" (does not generate any headers automatically) and me instead adding the encoded credentials manually through the Headers tab using the method I described previously, by running my email:APIKey through that powershell script and using the encoded value it gives me. No luck, unfortunately.
Ok, I understand.
When I see a URL like 'jira.cloud.xxxx.com' I always start with the assumption the person asking the question is NOT on cloud, even if they cite they are accessing a v3 API endpoint, since 99% of the time, Jira Cloud URLs are in the 'xxxx.atlassian.net', domain, but the introduction of custom domain URLs for organisations has made that difficult to be certain.
From the discussion you've been having with @Evgenii it seems that you're doing everything 'by the book' and there's no obvious reason why a simple Basic Auth'd request using Postman and letting it Base64 encode the email:token combo into the request header isn't working. However, some companies simply don't want their users to access the REST API of their Jira Cloud instance, and since there is no native way to achieve that, they use tricks like Firewall / Proxy based path redirection or request header content blocking to negate the requests. You did say your Jira Admin hadn't been able to perform a request, so I assumed if anyone would know about the configuration of the org's Jira Cloud instance, they would be the person who knows if such network shenanigans were in effect.
I'd recommend that you try an unauthenticated request to one of the endpoints that doesn't need authentication by default. A classic one is the Search for issues using JQL enhanced search endpoint. If you perform a simple JQL search for issueType=Story the request will be processed, return a 200 OK response, but no results:
If that works, you at least know the request path is allowed and routing correctly, and the REST API server can at least 'hear' the request and respond, it just couldn't perform the JQL search without authority.
Next, if all is OK, change that request to basic Auth with the email:token combo (Don't even use a variable; type your actual email address and paste in your actual Basic API token!) and try again:
If the request works and returns a set of Work Items that are Stories, then you know the email:token combination is valid and works.
If the request still does not return any Work Items, then you know the email:token combination is invalid and can mean only three things:
- That token doesn't belong to that user with that email address;
- The user to whom that token belongs doesn't have Browse projects permissions;
- The token itself is invalid. (IE, incomplete, expired, not Basic type but scoped / OAuth type etc).
Once you isolate your problem down to where the fault is occurring, you are most of the way to resolving it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.