Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

API Token Not Matching User Permission

Huan Ting Chen
Huan Ting Chen June 20, 2018

Just wondering if API token is an admin access token. I've done the following tests using Postman and they seemed to be dangerous.

- Any Atlassian user can generate an API token even if a particular Jira site access is deactivated.

- API token can be used without a user (email) specified.

- API token can be used to access any API even a user doesn't have permission. Got 401 when I just pasted a URL in browser when logged on.

- API token is still valid after a particular Jira site access is deactivated.

Any idea?

Answer
Watch
Like # people like this
1720 views

2 answers

0 votes
Deleted user April 6, 2023

I'm having the same issue as described above my user as permissions in the UI but not via the api

Reply
0 votes
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 22, 2018

Hi Huan,

When a user generates an API token at https://id.atlassian.com, any API calls made using that token will be treated as coming from that specific user. In other words, any script configured with that API token will run with the same permissions that the user has.

If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized). This is expected behavior since this HTTP status describes the situation best.

If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

The fact that a user can generate an API token even if site access has been disabled is related to the fact that a user can have access to multiple Jira sites and can use the same API token to send API calls to either of them.

View More Comments
Huan Ting Chen
Huan Ting Chen June 24, 2018
If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized).
If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

These are not true. I can still get 200 even when a user doesn't have permission or access is disabled. I also figured out that an API token is still valid after I revoked it. I've tested the above on two different Jira sites and they behaved the same. Please can you advise?

Like
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 25, 2018

Hi Huan,

I tried to replicate the behavior that you described but I couldn't. Please open a ticket at https://support.atlassian.com/contact and mention me, so we can take the discussion further privately, as I need some private information in order to investigate the behavior.

Claudiu

Like
Ivanov, Kyrylo [Global IT]
Ivanov, Kyrylo [Global IT]
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 17, 2020

I have created api token but got error

[Debug] [ Jira Webhook ] Received response with status code 404
{"errorMessages":["Issue does not exist or you do not have permission to see it."],"errors":{}}

Issue exists and I have prmissions to read.

Like Deleted user likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events