Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to use the access token for REST calls?

I've finally cracked the code of using JIRA authentication endpoints with OAuth.  It wasn't easy, but the key was using the RSA-SHA1 algorithm (not very standard - most implementations use HMAC-SHA1) - and the private key in the consumer-secret. BTW, when will OAuth2 be available???

Anyway, now that I do the 3-legged dance, and I have an oauth_token... now - how do I use it? I can't find a single example of actually using that token in an HTTP request for the REST interface.

Typically I would format it into the header of a request like so:

{ "Authorization" : "Bearer gZ9qgJLEaNJh3349VEIbCQ9jm7baNAbcDefgVjFqJY" }

But this doesn't seem to do the trick, even for a very simple query. 

How should the auth_token be formatted and used? I can't find any examples or instructions on this...

5 answers

1 accepted

8 votes
Answer accepted

Each of the sample clients use libraries which use other libraries - and the stack is deep. My biggest problem with the documentation and the samples is that they do not provide actual HTTP examples - they hide the details in curl or some other shared library. That is all well and good if you don't need to understand it, or just need to implement what someone else already has, using a library someone already has. But I read the blogs and I am not the only one that finds this approach - wanting.

I have no problem using RSA-SHA1 or acquiring the access token, but every example i've seen after that step uses curl with basic auth to access data - which is somewhat pointless. Every OAuth 1.0a server (and actually every OAuth 2 server) differ in implementation - I am looking for the similarities and the differences. I'm not using the languages or libraries that are covered so far in the published samples, I am left to experiment to find out these implementation necessities. Again, I am not the only one.

My next step is to follow the OAuth bible and see if that gets me where I want to go. A tangible sample with HTTP request and response for each would be much better than a collection of specific-library-built-samples. Everyone who approaches this, it seems, is left to dissect a sample that is not in the language they are using to try to glean the basic protocol. That's like teaching students how to be a doctor by sending them to the morgue to do autopsies. There might be a better way.


Sailing in the same boat. Looking for an example to get the access_token in my language (PHP). Can you please help me. 


Many thanks in advance.

I can add my own sample to the list of "here's how you do it in my technology" - but I'd rather provide a more general answer if possible. Let me re-iterate: requiring people to install, build, and run examples in a completely different set of technologies in order to find the pattern is not very productive.

The short answer is: roughly the OAuth1 format for Authorization header, but digitally signed using RSA-SHA1. Here is an example of an actual working HTTP header for a simple GET:


OAuth oauth_signature="C3xuGDhahnuQiro38jl5an3EjnzdGWEOWx%2Z3MAXfN7vM%2FLtI%3D...", 

These are the critical pieces needed for the Authentication header:

`oauth_signature` - the RSA-SHA1 signature which should be a signed concatenated string which includes the full URL (including query parameters) and the other headers.

`oauth_token` - this is the token returned from the second leg of the OAuth dance

`oauth_consumer_key` - this is your consumer key, the one you registered with JIRA when you added a 'Link'

`oauth_signature_method` - hard-coded 'RSA-SHA1'

`oauth_timestamp` - current time stamp, likely filled in by your library.

`auth_nonce` - arbitrary id that is unique to this message. don't try to re-use this. generate it anew for each call. Also potentially generated by a good OAuth library.

`auth_version` - hard-coded "1.0"

All of these parameters (except for oauth_signature) should be formatted into what is known as a `base string` which can be digitally signed using the private key you generated before you registered your application with Jira. That signature is then Base64 encoded and placed into the oauth_signature parameter. All of these are formatted as above with quotes around the values and comma-separated into the `Authentication` header on the request.

(wow, that was easy...)

Ping me if you are looking for a Clojure example of this. smile

I tried to find your contact information to ask for these examples, but couldn't find it. Could please provide it, along with the REST Requests required to obtain the Request Tokens as well? Also, please consider publishing your examples here:

@Cameron Stillion if you still have an example of this working within Clojure I would love to see, trying to implement this myself right now.

Please post an example for this.thanks

Could you show an example with the use of NodeJS ? or any similar that could help. thanks

Andy Heinzer Atlassian Team Dec 08, 2020

Hi Ryan,

There are nodejs examples of using OAuth over in

The parent repo also has other examples for languages such as php, java, perl, python, etc

0 votes
Andy Heinzer Atlassian Team Dec 07, 2020

Hi everyone,

This thread is 5 year old and unfortunately some of the links are now defunct.  If you are looking to use OAuth with Atlassian products, I would recommend a couple of different resources depending on which platform you are connecting to (Atlassian Cloud versus our Server/Data Center products).


For Cloud:


For Server or Data Center:

I hope this helps.



I am trying to use C# (.net 4.8) to authenticate using oauth, unfortunately there is no c# sample in the above example.

Is it possible to produce a C# example or to provide a working example that uses the values generated in the java file as below. This is the file that was created using the JAVA example.




#Tue Apr 13 16:41:17 CAT 2021

I would suggest using a tool like wireshark to capture network packets and then you can see the exact packet formats using any of the examples.  it seems repository unavailable, Can you please provide some examples if possible

All repository in this thread is not found. Please help update

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you