API Tokens

Securing your REST APIs from unauthorized access is necessary. When safeguarding your APIs, sharing login credentials poses security risks. Instead, utilizing API tokens offers a secure alternative. An API token is a randomly generated string that serves as a unique identifier for authentication. By employing this method, you can enhance the security of your REST APIs without the need to disclose sensitive login information. This approach not only streamlines the authentication process but also minimizes potential vulnerabilities associated with traditional credential-sharing practices.

Two types of API Tokens can be generated through the plugin: Basic and Bearer. These tokens are passed in the Authorization Header.

Sample Request

     ## For Basic Tokens

      Request: GET /rest/api/2/myself
      Header: Authorization : Basic Base64encoded(<username:token>)

     ## For Bearer Tokens

      Request: GET /rest/api/2/myself
      Header: Authorization : Bearer <token>

miniOrange REST API Create Keys

API Tokens Restrictions

To maintain security and prevent misuse, several restrictions can be applied to API tokens. These include setting a maximum expiry time for tokens, limiting the number of tokens per user, and scheduling automatic deletion of expired tokens.

  • Maximum Expiry Time: Tokens can be configured to expire after a set duration, ensuring that access is temporary and reducing the risk of unauthorized access through unused or forgotten tokens.

  • Maximum Tokens per User: To prevent overuse and improve manageability, there is a configurable limit on the number of tokens each user can have at a time. This restriction helps reduce potential security risks by ensuring each user has only the tokens they actively need.

  • Delete Expired Tokens Scheduler: A scheduler can be enabled to automatically delete expired tokens after a specified number of days. This automated cleanup not only improves security by removing inactive tokens but also keeps token management streamlined by reducing the number of expired tokens retained in the system.

miniOrange REST API Key Settings

These restrictions contribute to a more secure, manageable approach to API authentication, enhancing the protection of your REST APIs.

Manage API Tokens via API

Managing API tokens programmatically provides flexibility and control over token creation, expiration, and deletion. Through the API, you can manage tokens effectively using the following methods:

  • GET Method: The GET request allows you to retrieve the expiry details of a specific token. This method helps you track the status and expiration time of existing tokens, ensuring you can monitor their validity and take necessary actions if needed.

  • POST Method: The POST request enables you to create a new API token. This method generates a fresh token for authentication, providing a secure way to grant access to your REST APIs without compromising sensitive login credentials. You can specify relevant details such as the token name and expiration time when creating the new token.

  • DELETE Method: The DELETE request allows you to remove all expired tokens associated with a user. This method helps in cleaning up expired tokens, ensuring that your system remains secure by preventing the accumulation of inactive tokens.

By using these API methods, you can manage API tokens more efficiently, maintaining better control over authentication and security in your system.

Success Response

Code Error Description
200 Ok {
  self": "http://localhost:8080/rest/api/2/user?username=admin",
  "key": "JIRAUSER10000",
  "name": "admin",
  "emailAddress": "admin@gmail.com",
  "displayName": "admin",
  "active": true,
  "deleted": false,
  "timeZone": "Asia/Calcutta",
  …………}

Error Response

  • Table for error responses
Code Error Description
401 UNAUTHORIZED {
  "error": {
  "status": "ERROR",
  "message": "Provided API key is invalid"
  }
  }