API Authentication for Customers

I am working on an application that will be deployed to our customers, and am having trouble figuring out the best way to manage different customers and how they authenticate with our Jira cloud instance.

I have a single “Jira Service Management” site that I have multiple projects under. These projects each correspond to a real world project that we have done with customers. So I have a project called “Customer A” and a project called “Customer B,” etc. These are separate customers that have nothing to do with each other and should not have access to each other (outside of them all being managed under one Service Management instance.

I am struggling to understand the best way to allow each of these separate customer instances to connect to and interact with the Service Management API. The application will be installed on a machine by us, before it is delivered to the customer, and ideally the customer would never have to login to anything, as we would set up all the authentication beforehand. I am a little pigeonholed on the available “stack” for this, and think I’m going to be limited to Python 2.7 to do whatever I need.

I have been testing by just using basic auth with an API token. I thought that I could create separate API tokens for each customer and use that, but then I see that I can only make 25 tokens at a time. While this won’t be a public facing application, we will need more than 25. Using one API token for all customers seems wrong and prone to problems.

I suppose I want this to work like the {domain}.atlassian.net/servicedesk/customer/portal/{id} page, where a specific instance of the application is bound to a certain customer, and that instance is able to interact with the API. Using that webpage doesn’t quite achieve some other functionality I am trying to incorporate, or I would just use that.

I’m just a little lost on the best way for the customers to (safely and securely) access the relevant API data. While I say that I want it safe and secure, this shouldn’t be collecting any sensitive information, but still…

Any guidance in the right direction would be greatly appreciated! Thank you!

Hi @RobertBiros. I’ll start by saying that you’ll need to very strict + careful on how project and user permissions are set up. Rather than having a single user and generating gobs of tokens, consider creating a user account per customer which gives you all of the access control capabilities needed. API tokens are created at the user-level, and if you were to manage each of these accounts, you could revoke when/if needed.

I don’t know many details about what you’re building; however, it doesn’t sound like a traditional app or integration. That being said, I would closely review the Atlassian Cloud Terms of Service as well as the Atlassian Developer Terms.