Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

401 Trying to use Insight API


Main Error

I keep getting 401 Unauthorized when trying to GET{WorkspaceID}/v1/iql/objects


Actually anything under{WorkspaceID}/v1/ returns a 401 at this point  

Troubleshooting bits


At this point I'm not sure which URL and Auth method I should be using tbh. The documentation seems a bit obscure :(

Which documentation should I be looking at?

Huge thanks in advance :)

1 answer

1 vote
Andy Heinzer Atlassian Team Nov 02, 2021

Hi Dalmiro,

Sorry to hear about this problem.  It looks like you're using Jira Cloud, but the document you reference here appears to be the older server edition of Insight.  For Jira Service Management Cloud's Insights API, please check out

It has a brief overview of how authorization is expected depending on the types of calls being made here.  But then it also has a link to the detailed endpoints documentation such as

Try that and let me know if you run into any problems here.


Thanks for getting back to me Andy :)

Based on that doc I should be able to GET[workspaceID]/v1/iql/objects , right?

If I do the above I keep getting 401s even though:

  • Those same credentials are getting me through https://{mysite}/rest/servicedeskapi/insight/workspace which is from where I got the WorkspaceID
  • I can browse Insight from the Web UI and look at objects just fine.


Am I lacking some kind of permission that only matters at an API level? If so, is there some doc that I can send my administrators to convince them to get me the permissions?



Andy Heinzer Atlassian Team Nov 04, 2021

Yes, that call should work.  There is no separate API permission restriction to my knowledge.  If your account can view this information in the web GUI, then making REST calls with the same account credentials should return the same results.

But if you're seeing a 401 error, this is a pretty clear indication that authorization is either failing or your account here doesn't have the ability to see this. 

Which method to authenticate to the REST API are you using in your call?  (Basic Auth, OAuth, a Connect or Forge App, etc?)

I'm using Basic Auth with my company email and a token I created for this task. I'm getting the same result from Postman and regular Curl

curl -D- \
-u$$w0Rd \
-X GET \
-H "Content-Type: application/json" \{WorkspaceID}/v1/iql/objects


HTTP/2 401
server: envoy
cache-control: no-cache, no-store, max-age=0, must-revalidate
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Thu, 04 Nov 2021 21:19:44 GMT
x-request-id: 28c8a05cb7526bf4
expires: 0
pragma: no-cache
x-xss-protection: 1; mode=block
x-envoy-upstream-service-time: 78
x-content-type-options: nosniff
x-trace-id: 28c8a05cb7526bf4
x-frame-options: SameOrigin
expect-ct: report-uri="", enforce, max-age=86400
content-length: 0

Another thing that confuses me is that all the GET calls I see when browsing Insight from JIRA and the browser`s developer tools look like this one:


Is that rool URL the expected one?

Andy Heinzer Atlassian Team Nov 05, 2021

With basic auth in Atlassian Cloud, we have deprecated the use of a password.  While you can still use a token, I have seen other users report that trying to use the token in the same way as a password will frequently result in authorization errors.  Indeed at one time we did accept tokens in this manner, but no more.

I can see that in your curl call, the use of the -u switch is not going to work for making these calls.  This is because of the way that curl is trying to actually create a login call here.  Instead, please review Basic Auth for REST APIs. This guide has steps for how you have to first create a string composed of your


And then base64 encode that string.  From there you have then to craft an authorization header that includes that encoded string.  This header is what will be providing your REST API call the proper authorization.


Your call should look something like this in curl

curl -D- GET \
-H "Authorization: Basic dXNlckBleGFtcGxlLmNvbTphcGlfdG9rZW5fc3RyaW5n" \
-H "Content-Type: application/json" \

Try that and let me know if that helps.


I had already tried using headers with base64 encrypted creds and I'm still getting 401s.

This is what I did:

- Tried that same command you sent me with my encoded creds in the "Authorization" header -> Got 401

- Tried to GET https://{MySite}/rest/servicedeskapi/insight/workspace to get my workspace ID using the same header as the previous test (just to make sure my encoded creds are actually working) -> Everything worked

- Tried that same header doing a GET to https://{MySite}/rest/api/2/issue/pos-9317 -> Everything worked


So my creds are clearly getting me somewhere, but not in the realm of Insight :(

Andy Heinzer Atlassian Team Nov 08, 2021

Sorry to hear that.  I believe you are on the right track here, but there must be something else causing this error.  I tested this out on an example Cloud site with Insight.  I got my workspace ID from calling my site

curl -D- -X GET -H "Authorization: Basic [redacted]" \
-H "Content-Type: application/json" \

Which gave me the workspace ID.  And then made a similar insight call of

curl -D- -X GET -H "Authorization: Basic [redacted]" \
-H "Content-Type: application/json" \[redactedWorkspaceID]/v1/objectschema/list

and I got back a response of

HTTP/2 200 
server: envoy
vary: Accept-Encoding
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-type: application/json
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Mon, 08 Nov 2021 18:56:55 GMT
x-request-id: [redacted]
expires: 0
pragma: no-cache
x-xss-protection: 1; mode=block
x-envoy-upstream-service-time: 353
x-content-type-options: nosniff
x-trace-id: [redacted]
x-frame-options: SameOrigin
expect-ct: report-uri="", enforce, max-age=86400
content-length: 2016

{"startAt":0,"maxResults":25,"total":6,"values":[{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:4","id":"4","name":"Computers","objectSchemaKey":"COM","status":"Ok","description":"","created":"2021-08-04T22:46:00.798Z","updated":"2021-08-04T22:46:00.817Z","objectCount":3,"objectTypeCount":2,"idAsInt":4},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:3","id":"3","name":"ABCDE","objectSchemaKey":"MER","status":"Ok","description":"ABCDE in Store","created":"2021-06-11T13:35:04.709Z","updated":"2021-06-11T13:35:04.797Z","objectCount":10,"objectTypeCount":4,"idAsInt":3},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:5","id":"5","name":"MSC","objectSchemaKey":"MSC","status":"Ok","description":"","created":"2021-09-18T10:51:02.078Z","updated":"2021-09-18T10:51:02.136Z","objectCount":0,"objectTypeCount":0,"idAsInt":5},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:38","id":"38","name":"Recruiting Scheme","objectSchemaKey":"AP","status":"Ok","description":"","created":"2021-10-22T18:05:58.556Z","updated":"2021-10-22T18:49:31.540Z","objectCount":8,"objectTypeCount":4,"idAsInt":38},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:1","id":"1","name":"Services","objectSchemaKey":"SVC","status":"Ok","description":"Contains the 'Service' object type and services your site uses across projects.","created":"2021-03-26T04:56:02.417Z","updated":"2021-03-26T04:56:02.434Z","objectCount":3,"objectTypeCount":1,"idAsInt":1},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:2","id":"2","name":"WBU Insight","objectSchemaKey":"WI","status":"Ok","created":"2021-05-04T04:30:47.982Z","updated":"2021-05-04T04:30:47.997Z","objectCount":4,"objectTypeCount":2,"idAsInt":2}],"isLast":true}

I also called the IQL endpoint in your example, but my response was too large to post here in Community.  So I can confirm that this is the correct method to call this endpoint.  But I don't have a clear answer as to why your account might not be able to do this. 

At this point I believe the problem is in either the account itself doesn't have permissions to view this info, OR the authorization header is incorrect and in turn won't provide access.  But neither really seem clear to me given that other REST API calls appear to work here. I also tried to use a separate account to make a call to this same site.  In that case I too got a 401 error, but in that case, it's expected because that user was not actually a user on that site. 

Are there any other users on your site that are using the REST API to access this insight data?  I'm just curious to see if we can better understand if the problem is isolated to your account or perhaps there is something else unique to your Cloud site that might be a factor in this problem.

It might be helpful to create a support case to investigate this further.  The problem with doing that is that your account is not a site-admin and in turn you cannot create this yourself.  However if you can reach out to a site-admin of your Atlassian Cloud site and then get that user to create a support case and include you on it over in

Perhaps then our support team can view some more private information confidentially than what we can reasonably expect to share here in Community.


Hi Atlassian Team,


I'm trying to get Asset object information from Jira Service Management using: GET{WorkspaceID}/v1/aql/objects.

I can get my workspace ID using: GET https://{{my jira url}}/rest/servicedeskapi/assets/workspace.

When I use that workspace id in{WorkspaceID}/v1/aql/objects, I get 401 unauthorized. I was wondering what other permissions I need or if I'm doing this incorrectly?




Andy Heinzer Atlassian Team Feb 22, 2023

The 401 error code is a sign that you are not authorized.  The most common cause is the authorization is either missing or invalid. What method are you using for authorization?

I'd recommend walking through Basic Auth for REST APIs if you are trying to just supply a username and password as it provides steps to follow in order to encode your credentials to supply the authorization in a header of your REST call.

Hi Andy,


It appears to be working now after trying again! I didn't have to change anything on my end. In my code, I set the encode as "ascii" and will change it to "utf8" per the doc.

I'm using python, here's a snippet:

cred_string = f"{cfg['jira']['username']}:{cfg['jira']['api_token']}"
cred_string_bytes = cred_string.encode("ascii")
base64_bytes = base64.b64encode(cred_string_bytes)
base64_string = base64_bytes.decode("ascii")

headers = {
"Accept": "application/json",
"Content-Type": "application/json",
"Authorization": f"Basic {base64_string}"

response = request(
I also wanted to ask about these other endpoints, because they show up in docs. When I try to use them, I get a 404 error.
- rest/assets/<version>/aql/objects (

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events