Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

API Token Not Matching User Permission

Just wondering if API token is an admin access token. I've done the following tests using Postman and they seemed to be dangerous.

- Any Atlassian user can generate an API token even if a particular Jira site access is deactivated.

- API token can be used without a user (email) specified.

- API token can be used to access any API even a user doesn't have permission. Got 401 when I just pasted a URL in browser when logged on.

- API token is still valid after a particular Jira site access is deactivated.

Any idea?

1 answer

0 votes

Hi Huan,

When a user generates an API token at https://id.atlassian.com, any API calls made using that token will be treated as coming from that specific user. In other words, any script configured with that API token will run with the same permissions that the user has.

If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized). This is expected behavior since this HTTP status describes the situation best.

If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

The fact that a user can generate an API token even if site access has been disabled is related to the fact that a user can have access to multiple Jira sites and can use the same API token to send API calls to either of them.

If the script attempts to perform an operation that the user does not have permission to perform, Jira returns a 401 error code (Unauthorized).
If site access is disabled for a user any script / API calls running with an API token generated by that user will return a 401

These are not true. I can still get 200 even when a user doesn't have permission or access is disabled. I also figured out that an API token is still valid after I revoked it. I've tested the above on two different Jira sites and they behaved the same. Please can you advise?

Hi Huan,

I tried to replicate the behavior that you described but I couldn't. Please open a ticket at https://support.atlassian.com/contact and mention me, so we can take the discussion further privately, as I need some private information in order to investigate the behavior.

Claudiu

I have created api token but got error

[Debug] [ Jira Webhook ] Received response with status code 404
{"errorMessages":["Issue does not exist or you do not have permission to see it."],"errors":{}}

Issue exists and I have prmissions to read.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you