401 Trying to use Insight API

Thanks for getting back to me Andy :)

Based on that doc I should be able to GET https://api.atlassian.com/jsm/insight/workspace/[workspaceID]/v1/iql/objects , right?

If I do the above I keep getting 401s even though:

• Those same credentials are getting me through https://{mysite}/rest/servicedeskapi/insight/workspace which is from where I got the WorkspaceID
• I can browse Insight from the Web UI and look at objects just fine.

Am I lacking some kind of permission that only matters at an API level? If so, is there some doc that I can send my administrators to convince them to get me the permissions?

Thanks!

Yes, that call should work.  There is no separate API permission restriction to my knowledge.  If your account can view this information in the web GUI, then making REST calls with the same account credentials should return the same results.

But if you're seeing a 401 error, this is a pretty clear indication that authorization is either failing or your account here doesn't have the ability to see this. 

Which method to authenticate to the REST API are you using in your call?  (Basic Auth, OAuth, a Connect or Forge App, etc?)

I'm using Basic Auth with my company email and a token I created for this task. I'm getting the same result from Postman and regular Curl

curl -D- \
-u my.user@company.com:P4$$w0Rd \
-X GET \
-H "Content-Type: application/json" \
https://api.atlassian.com/jsm/insight/workspace/{WorkspaceID}/v1/iql/objects

HTTP/2 401
server: envoy
cache-control: no-cache, no-store, max-age=0, must-revalidate
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Thu, 04 Nov 2021 21:19:44 GMT
x-request-id: 28c8a05cb7526bf4
expires: 0
pragma: no-cache
x-xss-protection: 1; mode=block
x-envoy-upstream-service-time: 78
x-content-type-options: nosniff
x-trace-id: 28c8a05cb7526bf4
x-frame-options: SameOrigin
expect-ct: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400
content-length: 0

Another thing that confuses me is that all the GET calls I see when browsing Insight from JIRA and the browser`s developer tools look like this one:

https://insight-cloud.riada.io/rest/insight/1.0/global/config/object?objectschemaid=1&objecttypeid=7&_=1636060927480

Is that rool URL the expected one?

With basic auth in Atlassian Cloud, we have deprecated the use of a password.  While you can still use a token, I have seen other users report that trying to use the token in the same way as a password will frequently result in authorization errors.  Indeed at one time we did accept tokens in this manner, but no more.

I can see that in your curl call, the use of the -u switch is not going to work for making these calls.  This is because of the way that curl is trying to actually create a login call here.  Instead, please review Basic Auth for REST APIs. This guide has steps for how you have to first create a string composed of your

emailaddress:APItoken

And then base64 encode that string.  From there you have then to craft an authorization header that includes that encoded string.  This header is what will be providing your REST API call the proper authorization.

Your call should look something like this in curl

curl -D- GET \
-H "Authorization: Basic dXNlckBleGFtcGxlLmNvbTphcGlfdG9rZW5fc3RyaW5n" \
-H "Content-Type: application/json" \
"https://api.atlassian.com/jsm/insight/workspace/{WorkspaceID}/v1/iql/objects"

Try that and let me know if that helps.

Andy

I had already tried using headers with base64 encrypted creds and I'm still getting 401s.

This is what I did:

- Tried that same command you sent me with my encoded creds in the "Authorization" header -> Got 401

- Tried to GET https://{MySite}/rest/servicedeskapi/insight/workspace to get my workspace ID using the same header as the previous test (just to make sure my encoded creds are actually working) -> Everything worked

- Tried that same header doing a GET to https://{MySite}/rest/api/2/issue/pos-9317 -> Everything worked

So my creds are clearly getting me somewhere, but not in the realm of Insight :(

Sorry to hear that.  I believe you are on the right track here, but there must be something else causing this error.  I tested this out on an example Cloud site with Insight.  I got my workspace ID from calling my site

curl -D- -X GET -H "Authorization: Basic [redacted]" \
-H "Content-Type: application/json" \
"https://[mytestsite].atlassian.net/rest/servicedeskapi/insight/workspace"

Which gave me the workspace ID.  And then made a similar insight call of

curl -D- -X GET -H "Authorization: Basic [redacted]" \
-H "Content-Type: application/json" \
https://api.atlassian.com/jsm/insight/workspace/[redactedWorkspaceID]/v1/objectschema/list

and I got back a response of

HTTP/2 200 
server: envoy
vary: Accept-Encoding
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-type: application/json
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Mon, 08 Nov 2021 18:56:55 GMT
x-request-id: [redacted]
expires: 0
pragma: no-cache
x-xss-protection: 1; mode=block
x-envoy-upstream-service-time: 353
x-content-type-options: nosniff
x-trace-id: [redacted]
x-frame-options: SameOrigin
expect-ct: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400
content-length: 2016

{"startAt":0,"maxResults":25,"total":6,"values":[{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:4","id":"4","name":"Computers","objectSchemaKey":"COM","status":"Ok","description":"","created":"2021-08-04T22:46:00.798Z","updated":"2021-08-04T22:46:00.817Z","objectCount":3,"objectTypeCount":2,"idAsInt":4},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:3","id":"3","name":"ABCDE","objectSchemaKey":"MER","status":"Ok","description":"ABCDE in Store","created":"2021-06-11T13:35:04.709Z","updated":"2021-06-11T13:35:04.797Z","objectCount":10,"objectTypeCount":4,"idAsInt":3},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:5","id":"5","name":"MSC","objectSchemaKey":"MSC","status":"Ok","description":"","created":"2021-09-18T10:51:02.078Z","updated":"2021-09-18T10:51:02.136Z","objectCount":0,"objectTypeCount":0,"idAsInt":5},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:38","id":"38","name":"Recruiting Scheme","objectSchemaKey":"AP","status":"Ok","description":"","created":"2021-10-22T18:05:58.556Z","updated":"2021-10-22T18:49:31.540Z","objectCount":8,"objectTypeCount":4,"idAsInt":38},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:1","id":"1","name":"Services","objectSchemaKey":"SVC","status":"Ok","description":"Contains the 'Service' object type and services your site uses across projects.","created":"2021-03-26T04:56:02.417Z","updated":"2021-03-26T04:56:02.434Z","objectCount":3,"objectTypeCount":1,"idAsInt":1},{"workspaceId":"[redactedWorkspaceID]","globalId":"[redactedWorkspaceID]:2","id":"2","name":"WBU Insight","objectSchemaKey":"WI","status":"Ok","created":"2021-05-04T04:30:47.982Z","updated":"2021-05-04T04:30:47.997Z","objectCount":4,"objectTypeCount":2,"idAsInt":2}],"isLast":true}

I also called the IQL endpoint in your example, but my response was too large to post here in Community.  So I can confirm that this is the correct method to call this endpoint.  But I don't have a clear answer as to why your account might not be able to do this. 

At this point I believe the problem is in either the account itself doesn't have permissions to view this info, OR the authorization header is incorrect and in turn won't provide access.  But neither really seem clear to me given that other REST API calls appear to work here. I also tried to use a separate account to make a call to this same site.  In that case I too got a 401 error, but in that case, it's expected because that user was not actually a user on that site. 

Are there any other users on your site that are using the REST API to access this insight data?  I'm just curious to see if we can better understand if the problem is isolated to your account or perhaps there is something else unique to your Cloud site that might be a factor in this problem.

It might be helpful to create a support case to investigate this further.  The problem with doing that is that your account is not a site-admin and in turn you cannot create this yourself.  However if you can reach out to a site-admin of your Atlassian Cloud site and then get that user to create a support case and include you on it over in https://support.atlassian.com/contact/

Perhaps then our support team can view some more private information confidentially than what we can reasonably expect to share here in Community.

Andy

Hi Atlassian Team,

I'm trying to get Asset object information from Jira Service Management using: GET https://api.atlassian.com/jsm/assets/workspace/{WorkspaceID}/v1/aql/objects.

I can get my workspace ID using: GET https://{{my jira url}}/rest/servicedeskapi/assets/workspace.

When I use that workspace id in https://api.atlassian.com/jsm/assets/workspace/{WorkspaceID}/v1/aql/objects, I get 401 unauthorized. I was wondering what other permissions I need or if I'm doing this incorrectly?

Thanks,

D'Artagnan

The 401 error code is a sign that you are not authorized.  The most common cause is the authorization is either missing or invalid. What method are you using for authorization?

I'd recommend walking through Basic Auth for REST APIs if you are trying to just supply a username and password as it provides steps to follow in order to encode your credentials to supply the authorization in a header of your REST call.

Hi Andy,

It appears to be working now after trying again! I didn't have to change anything on my end. In my code, I set the encode as "ascii" and will change it to "utf8" per the doc.

I'm using python, here's a snippet: