Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

How to perform cookie based authentication in crowd + Jira + SSO using Rest API's


Hello Team,

I had done some research and found the below details,

To authenticate the Crowd + Jira environment using cookie based authentication i need to have cookie.token_key & JSEESIONID token.

 My main goal is use the cookies to access Jira which is integrated with crowd using REST calls.

* crowd.token_key  - I could not find any source how to retrieve it using REST api 

* In POSTMAN (Rest client) to login to the crowd server as ex: 


with POST body username.... pwd ... in JSON format.. 

Jira app name & pwd using basic authentication if we provide then it works.

If I do as above it returns the JSESSIONID token but I could not retrieve the crowd token.

I am not sure the above way is proper or not.

I have few questions.

* How to retrieve crowd.token_key and its value using REST APi's

* How to get the JSESSIONID token 

* How to pass these session tokens to retrieve any datas from jira server. Ex: issues , users ... 

 NOTE: Please do not post the way using crowd libraries. like CrowdClient API's

Thanks in advance.


3 answers

1 vote

Hi @Shan

You don't need to request Crowd to get a crowd.token_key cookie. A simple request to Jira is enough. This is a better approach as you won't need to expose jira's application name and password.

Here is the workflow:

1. Request the login URL of Jira (with username and password in basic authentication).

You will get a crowd.token_key cookie, a JSESSIONID cookie and an atlassian.xsrf.token cookie.

For instance:

curl -X GET -u "username:password" --silent --output /dev/null -c - ''

Will return:

# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.    FALSE    /    FALSE    0    JSESSIONID    ABC*****************************    FALSE    /    FALSE    0    crowd.token_key"123*****************************"    FALSE    /    FALSE    0    atlassian.xsrf.token    XYZ*****************************

2. Now, send whatever request you want to Jira by adding all 3 cookies.

For instance:

curl -X GET -H "Accept: application/json" -b "JSESSIONID=ABC*****************************;crowd.token_key=123*****************************;atlassian.xsrf.token=XYZ*****************************" ''

Will return your user profile in JSON format.

Hello Bruno,

Thanks a lot for your reply.

Using curl I did not get any response in the command prompt. It was just blank.

I had tried as you mentioned in the first step using POSTMAN Rest client, 

as "http://Serverip:9090/login" with my user name & pwd using basic authentication. 

It did not work, and return 404, i feel the url is wrong.

Normally we will use the url as 

"http://serverip:9090/jira/rest/auth/1/session" along with body of credentials with POST.

Correct me if I am wrong.

One more point to note that I did not configure a domain for Jira as i am using as localhost/server ip directly.

Hi @Shan

The URI should be /login.jsp not /login 😉

But it does not really matter, you can use any valid Jira URL. Since the first time you send your username and password in basic authentication, you will always get a response embedding the 3 cookies that you need to use afterwards.

Hello Bruno,

Sorry, there was a typo in the above reply.

I had tried with the working URL only, when I try it in the browser it pops up login window and works as expected when credentials provided.

But via POSTMAN with basic auth it returns 200 but no info about cookies. I previewed it and it's nothing but a login window. 

Response is ex: 

<!DOCTYPE html>
<html lang="en">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/> 

......... etc

In CURL there is no response. 

Can you show me the exact curl command you typed please?

(please blur the username and password)

Are you running Linux/macOS or Windows?

Hi Bruno,

Sorry for the late reply.


I hope i had tried the same way as you mentioned. Please correct me if I am wrong.

Hi @Shan

The syntax is different on Windows:

curl -X GET -u "username:password" --silent --output NUL -c - ""

Hi Bruno,

It works. Thanks a lot.


Hi Bruno,

In the curl command I can able to use the cookies and fetch the user details as well.

I have tried to implement the approach using Java (Jersey api).

PFB code is,

Client client = Client.create();              --> instance INS
client.addFilter(new HTTPBasicAuthFilter(crowdUserName, crowdUserPassword)); --> This is equivalent to curl -u username:password ******

Using this I can able to fetch the cookie details as like in curl command.

Passing these cookies in further calls/requests without the filter (i.e no user name & password, so only Client client = Client.create();) similar to curl command

Without adding the filter the further calls are not working (returns 401 unauthortised error) --> Q1

So I thought to pass the filter with credentials for further calls or use the above mentioned client instance INS along with/without cookies (I am aware that this is wrong, reason is its basic auth, not using cookies)

It works but it is creating multiple sessions in JIRA. --> Q2

Can you please let me know solutions for any of the below.

Q1 -> Is there any api or way to resolve the 401 error?

Q2 -> Is there any possibility to avoid creating multiple sessions in jira?

Thanks in advance.

Hi @Shan

The way to go is what I described in my first post (this is basically what you called Q1):

1. the first request with the username and password in the basic auth header to get the cookies

2. the second request without the basic auth header but embedding the cookies you got in the response to your first request.

If it works with curl/postman/whatever http client, it will work with any code sending http requests. So if it is not working now, that means that there is something wrong in your Java code.

I suggest that you enable DEBUG logging on 'com.atlassian.crowd' in Jira to understand why the request you're sending ends up in 401.

Hi Bruno,

Thanks for the response. I will check and correct the java code if any issues.

Hi @Bruno Vincent 


I hope you can help me, I should retrieve the crowd.token_key from java code



con = (HttpURLConnection) url.openConnection();
con.setRequestProperty("Authorization", "Basic " + encoding);
final int resp = con.getResponseCode();

if (resp != 200) {
throw new Exception("Target Response : " + resp);
final String cookieValue = "";
final List<HttpCookie> cookies = cookieManager.getCookieStore().getCookies();
for (final HttpCookie cookie : cookies) {



But I receive the JSESSIONID as the only cookie, some idea ?

Hi @Francesco Arieta 

Does it work in Postman/curl?

I guess you should first make sure that Crowd SSO is enabled in Jira 

Hi @Bruno Vincent , I'm trying to do the same, but against web SSO ( for CLOUD VERSION, since I need to get the cookie--> cloud.session.token in order to download some attachments from confluence.

I tried this:

curl -X GET -u "USERNAME:PASSWORD" --output /dev/null -c - ''

And I'm getting cloud.session.token ---> DELETED, not even sure if login is working in this way, I doubt it.

a1.PNGAny Idea if login through SSO using Curl or WGET is even possible nowadays?

Hi @Esteban Mirizio 

Cookie-based authentication has been deprecated in Atlassian Cloud. You should now use API tokens instead:

Thank you so much! Worked like a charm!

@Bruno Vincent , let me know if you need to create another question for this, but I'd like to bypass SSO for Jira as well when I try to hit the login page, but for server. I keep getting redirected even with the JSESSIONID. Any idea on how to bypass this? Thanks!

curl --cookie 'JSESSIONID=<cookie>' https://<base_url>/login.jsp -I


Suggest an answer

Log in or Sign up to answer

Atlassian Community Events