A primary use case for API tokens is to allow scripts to access REST APIs for Confluence applications using HTTP basic authentication.
If you define a token for a user, only that user can use it. If you do not specify a user, any user will be able to use this token.
If an external system is compromised, you can revoke the token instead of changing the password and consequently changing it in all scripts and integrations.
For security reasons we recommend generating token for specific user.
Editing the token after creation is not possible, create a new token if necessary.
You should treat API tokens as securely as any other password.
or if you turn on option Restrict tokens only for Extender endpoints in configuration
Depending on the details of the HTTP library you use, simply replace your password with the token. For example, when using curl, you could do something like this:
curl -v https://my-confluence.com --user USER:TOKEN
USER here is the email address or user name.
TOKEN here is token generated in REST API Tokens page
curl -s -u admin:token1234567890 CONFLUENCE_URL/rest/extender/1.0/user/getUserDetails/admin
curl -s -u firstname.lastname@example.org:token0987654321 CONFLUENCE_URL/rest/extender/1.0/user/getUserDetails/admin
Note that :
Basic Auth use this type in Authorization type
Username here is the email address or user name.
Passwordhere is token generated in REST API Tokens page
You can limit the token to specific urls and methods. Provide endpoint url with regular expression, add (or not) method restriction.
You can define any number of token restrictions, each of which should be on a new line.
Restriction to set property endpoint on space with key EXTENDER (only POST method)
Restriction to all space endpoints (for all methods)
REST API Tokens is available since v. 2.6.*
Since v. 2.10.*
changes in supported endpoint URLs - CONFLUENCE_URL/rest/*
added tokens expiration functionality
added the ability to specify token restrictions for URLs/methods