API REST /manage/lifecycle/disable and response 401 (you are unauthentificated)

General
, , , ,
1

Hi,

I can’t call API REST /manage/lifecycle/disable, i have response 401.
I try in chrome (entering URL API) , with Java and Curl ==> response 401
My example : "https://api.atlassian.com/users/{AccountIdToDisable}/manage/lifecycle/disable
I replace {AccountIdToDisable} by a right AccountId.

I try to call this API rest/api/3/users/search and it works fine.
I use a API token for the API call.
Example : https://{myDomain}.atlassian.net//rest/api/3/users/search
{myDomain} is my organisation

Where is the problem ? Is a acces token required ? How ? Any solution ?
Thanks,
Karim.

2

@KarimCHERIFI welcome to the Atlassian developer community.

The API you are trying to call does not use the same API token as Jira. You must obtain a special admin API token.

1 Like
3

Thanks for your response, i have again a response 401.
I have already a API Key. But I create a new my API token as your link “a special admin API token”.

Part of JAVA :

HttpResponse<String> response = Unirest.post("https://api.atlassian.com/users/{AccountIDUser}/manage/lifecycle/disable") 
			  .header("Content-Type", "application/json")
			  .header("Authorization", "{my_API_token}")
			  .asString();

image
image1644×481 144 KB

Thanks for your help,

4

@KarimCHERIFI,

Thanks for sharing more of your API request. I believe the problem is related to this part of the API specification:

Once you have your API key, you can provide it as a bearer token in the Authorization part of your HTTPS header.

That means your request should look like this:

HttpResponse<String> response = Unirest.post("https://api.atlassian.com/users/{AccountIDUser}/manage/lifecycle/disable") 
			  .header("Content-Type", "application/json")
			  .header("Authorization", "Bearer {my_API_token}")
			  .asString();
1 Like
5

Thanks, yes a see “Bearer Api Token” in documentation, but how to get a “Bearer API Token” ?
What means this “special” token ?

Thanks !

6

@KarimCHERIFI,

Your screenshot proves you have the right kind of token. The trick is to prefix the word Bearer (with a space) for the Authorization header. Your code example doesn’t have Bearer so that’s what I changed when I reposted.

7

Right ! Now i have a another message but not 401 :slight_smile:

{“key”:“forbidden”,“context”:“Error: Caller must be a verified org admin of targeted account or be the targeted account”,“errorKey”:“forbidden”,“errorDetail”:“Error: Caller must be a verified org admin of targeted account or be the targeted account”}

8

@KarimCHERIFI,

Yes, you cannot arbitrarily manage all accounts. For example, you shouldn’t be able to disable my user.
In order for Atlassian to know which accounts belong to your organization (thus, which ones you can manage), you must verify a domain.

9

Thanks ! I will try next week and tell you if all is fine (…or not).

10

Hello Atlassian Team,

My domain is now verified.
All users are managed, now.

but, I can’t disabled a user, {“code”:401,“message”:“Unauthorized”}

Thanks,

11

@KarimCHERIFI,

That’s frustrating. Maybe we can isolate the problem by checking results from other endpoints.

First, let’s make sure we can get a valid account id. Using a Jira API token, we get current user using GET /rest/api/3/myself. For me, the result is 200 OK and looks like:

{
	"self": "https://devpartisan.atlassian.net/rest/api/3/user?accountId=557057:3d0e64ae-35d3-490d-b6d9-d81c981476d0",
	"accountId": "557057:3d0e64ae-35d3-490d-b6d9-d81c981476d0",
	"emailAddress": "ibuchanan@atlassian.com",
	"avatarUrls": { ... },
	"displayName": "Ian Buchanan",
	"active": true,
	"timeZone": "America/Chicago",
	"locale": "en_US",
	"groups": { ... },
	"applicationRoles": { ... },
	"expand": "groups,applicationRoles"
}

Next, let’s take that accountId and use it with the Atlassian-wide APIs. This time we need a different admin API token. We can get profile for this user with GET /users/{account_id}/manage/profile. In my case, that’s https://api.atlassian.com/users/557058:641a59a4-008c-4cb5-b4eb-760303859b97/manage/profile. In my case, the result is 403 Forbidden because Atlassian manages the identity for ibuchanan@atlassian.com. And, the error message tells me that I’m not an admin for Atlassian:

{
	"key": "forbidden",
	"context": "Error: Caller must be a verified org admin of targeted account or be the targeted account",
	"errorKey": "forbidden",
	"errorDetail": "Error: Caller must be a verified org admin of targeted account or be the targeted account"
}

@KarimCHERIFI since you just set up a domain, claimed the users, and are managing the users with Access, I assume you are also an admin. If not, you will have the same 403 error. You must be an admin to manage users. If you are still getting a 401, even for your own accountId, then please refresh your admin token. Revoke the one you are using, and generate a new one.

Once you can see your own account profile from the user management API, then we can take the last step and try to disable with a different account ID.

Let me know if that helps you diagnose the problem.

12

@ibuchanan I create a new token with this URL : Atlassian account

  1. GET /rest/api/3/myself => it’s ok for me.

  2. /users/{account_id}/manage/profile . I try with https://api.atlassian.com/users/{my account ID}/manage/profile ==> i have {“code”:401,“message”:“Unauthorized”}

  3. JAVA : HttpResponse response = Unirest.post(“https://api.atlassian.com/users/5bb4b17fd9ae0f09918839db/manage/lifecycle/disable”)
    .header(“Content-Type”, “application/json”)
    .header(“Authorization”, “Bearer xxxxxxxxxx”)
    .asString();

     System.out.println(response.getBody());

==> i have {“code”:401,“message”:“Unauthorized”}

  1. Once you can see your own account profile from the user management API
    How can i see my profil as a user manager API ? I must have Access product for calling disable API ?

What is wrong ?

Thanks,

13

@KarimCHERIFI,

When you receive 401 Unauthorized from GET /users/{account_id}/manage/profile, it means you are using the wrong token. You cannot use the same token you use for Jira GET /rest/api/3/myself with the user management APIs. You must use the admin API token. I’m sorry if I have been unclear on this but I have mentioned it twice before in this thread.

14

OK, y have a new token.
Can you give me the exact url for create a token ? (sorry but it’s not clear for me).

I use this URL :

image
image1831×847 86.8 KB

15

@KarimCHERIFI,

Yes, that’s correct for the user management APIs. Using that token, do you get 401 Unauthorized?

16

Yes i have a 401 error.

17

@KarimCHERIFI,

I can only conclude there is something wrong with your user account or organization. Diagnosis will require close investigation of your logs and other back-end information, which will require sharing your organization and account id with our support team. Can you open a developer support ticket?

18

Ok thanks, i will ask to my manager tomorrow in order to create a support ticket.

19

@ibuchanan I create a new token with this URL and now it’s working :smiley: :

My solution :
1/ I add my name in the group “Administators” before creating a token.
2/ I create a new token :
https://id.atlassian.com/manage-profile/security/api-tokens

Thanks a lot for your helpful. :slightly_smiling_face:

1 Like
20

A post was split to a new topic: Is there any way to deactivate also unmanaged accounts?