Versions Compared

Old Version 4

changes.mady.by.user Adam Labus

Saved on

compared with

New Version 5

changes.mady.by.user Adam Labus

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If an external system is compromised, you can revoke the token instead of changing the password and consequently changing it in all scripts and integrations.

Note

For security reasons, we recommend generating token for specific user.

Editing the token after creation is not possible, create a new token if necessary.

You should treat API tokens as securely as any other password.

You can mix Tokens with Run REST API on behalf of another user

...

You can change the supported authorization methods for all generated tokens between Basic Auth or and Bearer Token, or be compatible with both. The default type is Basic Auth.

...

You can generate the code snippet (JavaScript/curl) and authentication data for calls by clicking the icon

...

If you want to check who used the token and when, all calls are added to the audit log

...

  • USER here is the email address or user nameusername.

  • TOKEN here is token generated in Extender REST API Tokens page

...

  • Basic Auth use this type in Authorization type

  • Username here is the email address or user nameusername.

  • Passwordhere is token generated in Extender REST API Tokens page

...

  • Bearer Token use this type in Authorization type

  • Token here is the uniqe unique token

...

Specify limits for tokens

You can restrict the token to specific specific methods (GET, POST, PUT, DELETE, etc.), URL's, URL parameters, and JSON data in the body.

...

Info

You can define as many token constraints as you want, each of which should be on a new line.

You can freely combine all available restriction options, URL's, URL parameters, and JSON data in the body.

[method].*/rest/api/.*[QueryParam::paramName==Regexp][JsonData::nodeName==Regexp]

...

Code Block
.*/rest/api/2/issue/JRA.*

URL with a POST method restriction

Example:

  • Restriction to 'comment' endpoint on KANBAN-100 issue (only POST method)

Code Block
[post].*/rest/api/2/issue/KANBAN-100/comment.*

URL with parameters

Add an additional a definition to the end of the “Limit to” definition, as shown in the example

[QueryParam::URL_PARAM_NAME==REGEXP]

  • where URL_PARAM NAME is the name of the URL parameter

  • where REGEXP is the definition of a regular expression, what can value the URL parameter can take

Example:

  • Restriction to all filters for all users (only with permission)

...

URL with JSON data in the body

Add an a additional definition to the end of the “Limit to” definition, as shown in the example

[JsonData::JSON_NODE_NAME==REGEXP]

  • where JSON_NODE_NAME NAME is the name of the JSON node name

  • where REGEXP is the definition of a regular expression, what value can the JSON node name can take

Example:

Expand
titleSample create filter requests

Method:

Status
colourYellow
titlePOST

URL: {JIRA_URL}/rest/api/2/filter

Request JSON:

Code Block
{
    "name": "All Open Bugs",
    "description": "Lists all open bugs",
    "jql": "type = Bug and resolution is empty",
    "favourite": true,
    "editable": false
}

...

We created this mode to add another layer of security to your tokens and allow you to better protect them.

In this mode, you will notice several differences from the standard mode:

  • you will only see the token once, you will not be able to see it again

  • you will not be able to view the code snippet, change the expiration date, edit restrictions or any other Token data

...

  1. Shutdown Jira. Even on Jira Data Center, it is necessary to shutdown all nodes. A rolling restart of the nodes won't suffice.

  2. Edit the jira-config.properties file in your JIRA application home directory.

  3. Change the value of the ops.bar.group.size.opsbar-classic-transitions-view property within this file to be the number of transition buttons required before the Workflow menu.

  4. If this property does not appear in the jira-config.properties file, add it

    Code Block
    extender.token.secure.mode = true

  5. Save the updated jira-config.properties file.

  6. Restart JIRA. 

...

Troubleshooting

Problem

Resolution

curl request (POST, PUT) return error code 3XX and response

Code Block
{
  "statusCode": 500,
  "message": "",
  "reason": "Internal Server Error"
}

Server reports that the requested page has moved to a different location. When curl follows a redirect and if the request is a POST, it sends the following request with a GET if the HTTP response was 301, 302, or 303. If the response code was any other 3xx code, curl resends the following request using the same unmodified method.

Please check -L, --location documentation and add extra options to your request like --post301, --post302 or --post303.

...

Changes

Info

REST API Tokens is available since v. 1.39.*

Since v. 1.40.*.1

  • added JIRA_URL/rest/keplerrominfo/* to supported endpoints

Since v. 1.61.*

  • changes in supported endpoint URLs - JIRA_URL/rest/*

  • added tokens expiration functionality

  • added the ability to specify token restrictions for URLs/methods

Since v. 2.6.*

  • all token calls will now be added to audit log

Since v. 2.8.*

  • added Code snippet

Since v. 2.14.*

  • added the ability to edit token name and limits

Since v. 4.29.*

  • Specify limits for tokens - added the ability to define restrictions on URL parameters and JSON data in the body

Since v. 4.30.*

  • Added Secure mode - additional security layer for Tokens

...