Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,557,783
Community Members
 
Community Events
184
Community Groups

API Token Not Matching User Permission

Huan Ting Chen
Huan Ting Chen Jun 20, 2018

Just wondering if API token is an admin access token. I've done the following tests using Postman and they seemed to be dangerous.

- Any Atlassian user can generate an API token even if a particular Jira site access is deactivated.

- API token can be used without a user (email) specified.

- API token can be used to access any API even a user doesn't have permission. Got 401 when I just pasted a URL in browser when logged on.

- API token is still valid after a particular Jira site access is deactivated.

Any idea?

Answer
Watch
Like # people like this
1134 views

2 answers

0 votes
Madeline Ryder
Madeline Ryder
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
Apr 06, 2023

I'm having the same issue as described above my user as permissions in the UI but not via the api

Reply
0 votes
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 22, 2018

Hi Huan,

When a user generates an API token at https://id.atlassian.com, any API calls made using that token will be treated as coming from that specific user. In other words, any script configured with that API token will run with the same permissions that the user has.

If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized). This is expected behavior since this HTTP status describes the situation best.

If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

The fact that a user can generate an API token even if site access has been disabled is related to the fact that a user can have access to multiple Jira sites and can use the same API token to send API calls to either of them.

View More Comments
Huan Ting Chen
Huan Ting Chen Jun 24, 2018
If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized).
If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

These are not true. I can still get 200 even when a user doesn't have permission or access is disabled. I also figured out that an API token is still valid after I revoked it. I've tested the above on two different Jira sites and they behaved the same. Please can you advise?

Like
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 25, 2018

Hi Huan,

I tried to replicate the behavior that you described but I couldn't. Please open a ticket at https://support.atlassian.com/contact and mention me, so we can take the discussion further privately, as I need some private information in order to investigate the behavior.

Claudiu

Like
Ivanov, Kyrylo [Global IT]
Ivanov, Kyrylo [Global IT] Nov 17, 2020

I have created api token but got error

[Debug] [ Jira Webhook ] Received response with status code 404
{"errorMessages":["Issue does not exist or you do not have permission to see it."],"errors":{}}

Issue exists and I have prmissions to read.

Like Madeline Ryder likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events