Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Restrict Access to Jira Cloud Rest End Points

Tulika
Tulika June 6, 2025

Hi,

I want to know, if there is a way we can restrict access to certain JIRA rest endpoint in case of JIRA Cloud.

I want to restrict access to anonymous end point like <BaseURL>/rest/api/3/field

I also want to restrict access to the project fetch end point <BaseURL>/rest/api/3/project/search

Thanks and Regards,

Tulika

Answer
Watch
Like Be the first to like this
113 views

2 answers

0 votes
Gerusa Lobo _e-Core_
Gerusa Lobo _e-Core_
Atlassian Partner
June 6, 2025

Hi @Tulika 

All endpoints in Jira Cloud needs a user authentication.

Some pluggins hide the authentication because use its add-ons users.

The information access and endpoints available are based on access and permission of the user in a projects.

If the user don't have access in a project he won't get any information for this project or execute anything.

Also, in Authentication Policies at Organization is possible to disable the access to API for all users in a policy.

Regards.

 

 

Reply
0 votes
Tomislav Tobijas
Tomislav Tobijas
Community Champion
June 6, 2025

Hi @Tulika ,

As far as I know, you cannot restrict REST API calls and endpoints. There's a feature suggestion related to restrictions: JRACLOUD-42122: REST API Access Permission 

But API calls should respect user permissions. Meaning, if your Jira doesn't have anonymous access enabled on specific projects, 'external' people who don't have access to your site should not be able to use the mentioned endpoints and would probably get unauthorized message.

Now, I haven't been playing that much with REST APIs that I can stand 100% behind this 👀

Cheers,
Tobi

View More Comments
Tulika
Tulika June 6, 2025

Hi Tomislav,

We know about the project specific restrictions but we want to know if there is a option in jira using which we can block access to certain anonymous access endpoints like - <BaseURL>/rest/api/3/field

Cheers,
Tulika

Like
Tomislav Tobijas
Tomislav Tobijas
Community Champion
June 7, 2025

Oh, I see. I just tried using some endpoints on hello.atlassian.net and it provided responses without any authorization. Wow...

I'm not sure if whitelisting would help here 👀

But I agree that this could provide security risks in some cases. I would suggest reaching out to Atlassian Support and discussing it further with them. I've tried checking JAC for any open suggestions on that topic, but I couldn't find any :/

Like
Gerusa Lobo _e-Core_
Gerusa Lobo _e-Core_
Atlassian Partner
June 7, 2025

Hello @Tulika @Tomislav Tobijas 

As I know, all API endpoints in Atlassian need a authentication.

https://developer.atlassian.com/cloud/jira/software/basic-auth-for-rest-apis/

I don't know any Atlassian endpoint that is not required the authentication to run with success.

If you put a endpoint in a browser, you are still using the authentication using a cookie of the SSO saved on cache of the browser.

I suggest you try to proceed a get using a postman or curl without authentication to try get information from these endpoints.

Regards.

 

 

 

Like
Tomislav Tobijas
Tomislav Tobijas
Community Champion
June 7, 2025

@Gerusa Lobo _e-Core_ well, I tried using Postman and thus why my previous comment.

2025-06-07_12-30-52.png

No auth on site name/base URL combined with /rest/api/latest/field and you'll get the response.

However, it's worth noting that this seems to get system fields/info which is the same on all sites (it won't reveal any custom fields you're using).
Still, IMO, this shouldn't give a response if you're not using auth.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security