Hello Community,
I'm currently working on an application where I upload attachments to Jira issues using the Jira REST API. After the upload, I retrieve the issue details via the API, which includes the attachment URLs (e.g., https://your-domain.atlassian.net/secure/attachment/{id}/filename.pdf
).
The issue I'm facing is:
When I try to access these attachment URLs directly via browser (or from a frontend app like Angular), I get a "Permission Denied" (403) error — unless I'm already logged in to Jira in that browser session.
This behavior occurs even though the attachments are correctly uploaded, and I have the correct URL returned from the Jira API.
My backend is built in ASP.NET Core Web API (C#), and the frontend is in Angular. I understand this is due to Jira's authentication mechanism, but I would like to know the recommended and secure way to access or expose these attachments to users via a web application.
Is there a best practice or officially recommended way to expose these attachments to frontend users who are not logged in to Jira?
Is it acceptable to proxy the file through my backend (authenticated with API token), and serve it to the frontend?
Is there a way to generate public or time-limited links to Jira attachments?
Any advice, architectural recommendations, or security best practices would be greatly appreciated.
Thank you!
Hey @siddhesh B Lad,
The only thing I'm aware of is using the recently introduced Attachment security options to enable anonymous downloading of attachments in customer notifications—see https://support.atlassian.com/jira-service-management-cloud/docs/set-up-how-your-customers-access-attachments/.
However, those links are generated notification-wise, and this feature is limited to paid Jira Service Management plans (Standard and above).
Regards,
Thorsten
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.