1. Wombats Avatar Wombats
  2. Marketplace
  3. API Tokens for Jira

Wiki

Clone wiki

API Tokens for Jira / API Tokens plugin

View History

Tokens Management

Where can I get a token?

After plugin installation each Jira user get an ability to manage own tokens on View Profile page:

  • User Avatar > Profile
  • or directly by the link {base_url}/secure/ViewProfile.jspa

On left column Summary
At the bottom (below Groups section)
New section API tokens will be present

How to create a new token?

From the beginning, users see Create API token and message that there are no tokens yet.

  1. So click Create API token button
  2. Add Label and click Create button
  3. Copy generated API Token

How to revoke tokens?

Please revoke token when it became unnecessary or was exposed somewhere.
Users can revoke each token (Revoke) or all of them (Revoke API Tokens).
After that Confirmation pop-up will be shown.

General recommendations

  • Use meaningful Label appropriate to the place where tokens will be used
  • For security reason, it is recommended to use a token per each script
  • Keep API Tokens in secret as you do with passwords
  • Strongly recommended to use secure HTTPS communication

How to use that token?

Tokens could be used in the same way as passwords in basic access authentication.
Example for curl command:

curl -s --user {jira_username}:{generated_token} {jira_rest_endpoint_url}

So real curl command would look like following:

curl -s --user admin:PExRHkVGE5Da5BpwESbtpKJnUqUEyDmvsRt https:wombatscorp.com/jira/rest/api/latest/configuration
curl -s --user admin:PExRHkVGE5Da5BpwESbtpKJnUqUEyDmvsRt https:wombatscorp.com/confluence/rest/api/latest/accessmode

A few technical details

Tokens consist of 35 chars generated using SecureRandom and alphabet of 0..9 and A..z
No plain-text tokens stored anywhere (only salted hash of them)
Tokens data stored in DB (AO_5D4005_Tokens table)
The plugin covers only REST API calls ({jira_domain}/rest/*)
And only HTTP basic auth calls (with HTTP Header Authorization: Basic {credentials})
Basic auth with password still available to end-users
It works even for SAML / SSO users

____________________________________________________________

On any additional questions please contact me via email
info@wombatscorp.com

Updated