Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Ways to Secure REST APIs

REST API is an application interface that allows an application to expose its resources securely to client applications. REST APIs let you integrate with Jira by querying and modifying data in your Jira application. Since the rest APIs are open to the internet and anyone can use them to gain illegitimate access and modify sensitive resources, it is crucial to authenticate each API call made to the server.

Authentication methods to Secure APIs are as follows:

  • Basic Authentication
  • API Key Authentication
  • OAuth 2.0 Authentication

We will learn about them briefly below.


Basic Authentication:

Basic authentication is a simple authentication scheme built into the HTTP protocol. In Basic Authentication, the client sends an encoded username and password for authentication. Since username and password sent can be easily deciphered, there is an inherent security vulnerability when using Basic authentication. With basic authentication, every API call is an opportunity for credential theft, which is not ideal. Hence not it is not recommended.

Basic Authentication.png


Authentication methods for SSO Enabled Jira Server:

If the application is federated using SSO protocols such as SAML/OAuth/OIDC, the user generally does not know his/her application credentials. The user only knows the credentials of the Identity Provider. Hence basic authentication in such cases does not work. In this case, you can use the methods below.


API Key Authentication

Use API Keys as an alternative to basic authentication to protect your REST APIs from unauthenticated users. API Key authentication generates a random authentication key for you. Using this key, you can authenticate the REST API by sending it in the authentication request instead of a password. For more security, you can revoke & generate API keys.

From a usability point of view, there are some pros to using API Keys.  One of the clear advantages is its inherent simplicity as well as security. A single identifier is simple, and for some use cases, the best solution since they work better as unique app identifiers. We provide support for API key Authentication where you can additionally control which users can call the REST APIs.

API Key Authentication.png


REST API Authentication using OAuth 2.0

This method allows you to authenticate the REST APIs of your application using any OAuth/OIDC providers. A client calling a REST API can fetch an access token from the OAuth/OpenID provider and use this access token to authenticate an API call.

It is fundamentally a much more secure and more powerful method than the other approaches, mainly because it allows the establishment of scopes that can restrict or provide access to different parts of the API service. It is the best solution for those who have external OAuth providers. As an added advantage, the token gets revoked after some time, making it much harder to be re-used by attackers. 

OAuth 2.0 Authentication.png


Try out our REST API Authentication app. The app supports various methods like API Token, OAuth 2.0/OpenID token, etc. and it also provides configurable access control to block the REST API calls made using basic authentication or OAuth 1.0.

For detailed information about our REST API Authentication app, please refer to the link.

In case of any queries, please feel free to drop us a mail at


@Shradha Kamble - if I'm fine in using API Tokens, could you tell me what's the advantage of using your app vs using Atlassian's built-in mechanism?

API keys are for projects or applications, authentication is for users. For Example, Google Cloud exposing API Keys to access it and identify the application.

While API keys identify the calling project, they don’t identify the calling user. For instance, if you have created an application that is calling an API, an API key can identify the application that is making the call, but not the identity of the person who is using the application.

JCPenney Kiosk

Hello Matthias,

This plugin has some demanding functionality in addition to the basic API Token feature, such as the ability to set the API Token's maximum expiry time, some automation tools demand the bearer token instead of basic authentication, and you can send the API token as a Bearer token using our plugin. This plugin also has the ability to restrict access to Rest API based on IP address and user groups.

The plugin also supports JWT token and OAuth 2.0 authentication, as well as providing configurable Access Control to Jira's default authentication methods such as basic authentication and OAuth 1.0.

I'd like to add to Devin's point that API keys are sometimes required to identify the user rather than the application. The user-specific API Token option is available in this plugin.

PS: I am a developer at miniOrange, a Top Atlassian SSO Vendor!

If you have any questions about it or would like to discuss it further, you can reach out to

I hope this helps you!


Like # people like this


Log in or Sign up to comment

Atlassian Community Events