From what I read here, I assumed that -H "X-Atlassian-Token: no-check" would do the trick for authentication. If I remove it, I get an authentication failure error, but if I have it included as above I get no response at all:

~$ curl -X POST -i https://<our-url>/rest/confiforms/1.0/create/<pageID>/<formname> -H "X-Atlassian-Token: no-check, Content-Type: application/json, Accept: application/json" -d '{"fields":{"text": "made by server"}}' -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying <our-ipv6>:443...
* TCP_NODELAY set
* Connected to <our-url> (<our-ipv6>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / <TLS-Key>
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: <server data>
* start date: Jun 28 00:00:00 2023 GMT
* expire date: Jun 27 23:59:59 2024 GMT
* subjectAltName: host "<our-url>" matched cert's "<our-url>"
* issuer: <issuer-data>
* SSL certificate verify ok.
> POST /rest/confiforms/1.0/create/<pageID>/<formname> HTTP/1.1
> Host: <our-url>
> User-Agent: curl/7.68.0
> Accept: */*
> X-Atlassian-Token: no-check, Content-Type: application/json, Accept: application/json
> Content-Length: 50
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 50 out of 50 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 415
HTTP/1.1 415
< Keep-Alive: timeout=20
Keep-Alive: timeout=20
< Set-Cookie: JSESSIONID=BD2595738FCA13E97FE1B3707E936CFC; Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=BD2595738FCA13E97FE1B3707E936CFC; Path=/; Secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Powered-By: ARR/3.0
X-Powered-By: ARR/3.0
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Date: Wed, 02 Aug 2023 08:30:42 GMT
Date: Wed, 02 Aug 2023 08:30:42 GMT
< Content-Length: 0
Content-Length: 0

<
* Connection #0 to host <our-url> left intact

That header has nothing to do with authentication 

Logically thinking, if that’s was the case… how secure that would be!?

Alex

You got a point there, I was also wondering how the user would be deduced. The search API which works from a browser where I'm logged in to the wiki gives an authentication failure on the server, so I guess I have to setup authentication tokens, wich I hoped to be able to avoid. Thanks for clarifying that.

If someone is looking this up and is as confused as me with the syntax, it finally worked like this:

curl -X POST <our-url>/rest/confiforms/1.0/create/<pageID>/<FormName> -H "Content-Type: application/json" -H "Accept: application/json" -H "Authorization: Bearer <PAT token>" -d '{"fields":{"<myfieldname>": "<myvalue>"}}'