...

A primary use case for API tokens is to allow scripts to access REST APIs for Jira Confluence applications using HTTP basic authenticationBasic Auth or Bearer Token with extended filtering/blocking capabilities.

If you define a token for a user, only that user can use it . If (if you use Basic Auth or Bearer Token), but if you do not specify a user, any user will be able to use this token .(only if you use Basic Auth)

If an external system is compromised, you can revoke the token instead of changing the password and consequently changing it in all scripts and integrations.

...

...

...

Token Authentication

You can change the supported authorization methods for all generated tokens between Basic Auth or Bearer Token, or be compatible with both. The default type is Basic Auth.

Basic Auth

Basic authentication is a simple and widely supported authentication method that uses the HTTP header to send the username and password of the client. The client encodes the credentials in base64 and sends them with every request. The server decodes the credentials and checks if they are valid. Basic authentication is easy to implement and compatible with most clients, but it has some drawbacks. The credentials are not encrypted, so they can be intercepted by malicious actors. The client has to store the credentials securely and send them repeatedly, which can affect the performance and security of the API. Basic authentication is suitable for simple and low-risk scenarios, such as testing or prototyping.

Bearer Token authentication

Bearer authentication is a more advanced and secure authentication method that uses tokens instead of credentials. A token is a string of characters that represents the identity and permissions of the client. The client obtains a token from an authentication server by providing valid credentials or other information. The client then sends the token with every request using the HTTP header or the query string. The server validates the token and grants access to the API. Bearer authentication has several advantages over basic authentication. The token is encrypted, so it cannot be tampered with or stolen. The client does not have to store or send the credentials, which reduces the risk of exposure and improves the performance of the API. The token can also have an expiration date, which limits the duration of the access. Bearer authentication is suitable for complex and high-risk scenarios, such as production or public APIs.

How to choose?

When choosing between basic and bearer authentication for an API, there is no one-size-fits-all answer. It depends on the API's requirements, design, and security level. When making a decision, consider factors such as compatibility, complexity, and security. For example, if the API needs to support a wide range of clients, basic authentication may be more convenient. However, if the API needs to integrate with third-party services or platforms, bearer authentication may be more compatible. Additionally, if the API is simple and has few endpoints and resources, basic authentication may be sufficient. On the other hand, if the API is complex and has many endpoints and resources, bearer authentication may be more scalable. Moreover, if the API is low-risk and does not handle sensitive or personal data, basic authentication may be acceptable with HTTPS encryption. Lastly, if the API is high-risk and handles sensitive or personal data, bearer authentication may be mandatory for better security and control over access and data protection.

Source - How do you choose between basic and bearer authentication for your API?

Code snippet

You can generate the code snippet (JavaScript/curl) and authentication data for calls by clicking icon

...

If you want to check who used the token and when, all calls are added to the audit log

...

How does it work

Depending on the details of the HTTP library you use, simply replace your password with the token. For example, when using curl, you could do something like this:

curl -v https://my-jira.com --user USER:TOKEN

Note that:

• USER here is the email address or user name.

• TOKEN here is token generated in Extender REST API Tokens page

CURL Example

curl -s -u ansible@ansible.jira.pl:token0987654321 JIRA_URL/rest/api/2/issue/AAA-1

curl -s -u ansible@confluence.pl:token0987654321 CONFLUENCE_URL/rest/extender/1.0/user/getUserDetails/admin

curl -H 'Authorization: Basic YWRtaW46cGhuN2dkNHY2cWcyNGZ2aGZwNnFwZ2psa3VwMDFnMGxn' CONFLUENCE_URL/localhost:1990/confluence/rest/api/content

curl -u admin:token0987654321 -H "Content-Type: application/json" --data '{"body":"Comment text"}' -X JIRA_URL/rest/api/2/issue/ISSUE-1/comment

curl -H 'Authorization: Bearer qt3sumg4gd8r47n98tcnmuarnfufviog' 'http://localhost:2990/jira/rest/api/2/issuetype'

Postman Example

Basic Auth

...

Note that :

• Basic Auth use this type in Authorization type

• Username here is the email address or user name.

• Passwordhere is token generated in Extender REST API Tokens page

Bearer Token

...

Note that :

• Bearer Token use this type in Authorization type

• Token here is the uniqe token

...

Specify limits for tokens

...

1. Shutdown Jira. Even on Jira Data Center, it is necessary to shutdown all nodes. A rolling restart of the nodes won't suffice.

2. Edit the jira-config.properties file in your JIRA application home directory.

   •  See Making changes to the jira-config.properties file for more information.

3. Change the value of the ops.bar.group.size.opsbar-classic-transitions-view property within this file to be the number of transition buttons required before the Workflow menu.

4. If this property does not appear in the jira-config.properties file, add it

   Code Block
   extender.token.secure.mode = true

5. Save the updated jira-config.properties file.

6. Restart JIRA. 

How does it work

Depending on the details of the HTTP library you use, simply replace your password with the token. For example, when using curl, you could do something like this:

curl -v https://my-jira.com --user USER:TOKEN

Note that:

• USER here is the email address or user name.

• TOKEN here is token generated in Extender REST API Tokens page

CURL Example

...

GET Example

curl -s -u admin:token1234567890 JIRA_URL/rest/api/2/issue/AAA-1

curl -s -u ansible@ansible.jira.pl:token0987654321 JIRA_URL/rest/api/2/issue/AAA-1

...

POST Example

curl -u admin:token0987654321 -H "Content-Type: application/json" 
--data '{"body":"Comment text"}' -X JIRA_URL/rest/api/2/issue/ISSUE-1/comment

JavaScript Example

var base64 = atob("USERNAME:TOKEN");
$.ajax({
  "url": "http://localhost:2990/jira/rest/api/2/issuetype",
    "headers": {
    "Authorization": "Basic " + base64
  }
}).done(function (response) {
  console.log(response);
});

var base64 = atob("USERNAME:TOKEN");
var headers = new Headers();
headers.append("Authorization", "Basic " + base64);

fetch("http://localhost:2990/jira/rest/api/2/issuetype", {"headers": headers})
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

Postman Example

...

Note that :

...

Basic Auth use this type in Authorization type

...

Username here is the email address or user name.

...

...

Changes

...