Hi! I’m trying to understand how to authenticate to Confluence Cloud from a script, but the Confluence documentation on API tokens appears to be contradictory.
The original " Deprecation notice - Basic authentication with passwords" announces that basic authentication with passwords has been deprecated and that I should upgrade my ‘app or integration’ to use an API token instead. All good so far.
I have followed the link in the announcement to the documentation on managing API tokens, and created a token. In order to test that I can authenticate with Confluence using the token I am following the instructions Basic auth for REST APIs, however both the ‘Simple example’ and ‘Supplying basic auth headers’ fail to authenticate (HTTP response code 401) and return the message “Basic authentication with passwords is deprecated,” even though I am using an API token. The message includes a link to the basic auth deprecation notice, taking me back to where I started.
Can an API token be used from a script to authenticate to Confluence
Is there any other documentation on how to use an API token from a script to authenticate to Confluence Cloud?
Are there any other examples of how to, for example, authenticate to Confluence Cloud using curl and an API token?
In the overwhelming majority of cases where people are getting that error, it’s because they are supplying just the raw token by itself, which it sounds like you’re trying to do, or the raw key:token pair directly in the request header without first encoding the combination via Base64 first, as described in the Supplying basic auth headers section of the Basic AUTH for REST APIs documentation.
The cURL simple example shows just that:
curl -D- \
-u <your_email@domain.com>:<your_user_api_token> \ <-- Here the username:token pair are encoded into a base64 string by cURL, then put into the header for you -->
-X GET \
-H "Content-Type: application/json" \
https://<your-domain.atlassian.net>/wiki/rest/api/space
Following the instructions in the Basic auth for REST APIs documentation that I referenced, I’m trying the username:api token pair directly according to the ‘Simple example’, and I’m trying base64 enconding the username:api-token in a basic auth header according to the ‘Suppling basic auth headers’ section. I’m getting a 401 response in both cases.
I find it interesting that it doesn’t report something like ‘authorization failed’, it reports ‘Basic authentication with passwords is deprecated’ even though I’m not using username:password authentication. I’m attempting to use a base64 encoded username:api-token pair in an authorization header.
@sunnyape, just double checking what you wrote in your comment you’ve indicated using the curl -u switch. That takes a username:password pair, or if you only provide it with a single argument it interprets that as the username and prompts you for the password at the command line. This means that if I use -u followed by the base64 encoded username:api-token, that string gets interpreted as the username and it prompts me for a password. Did you mean -H "Authorization: Basic <base64 encoded username:api-token pair>?
If I try to use the -u switch or if I use -H "Authorization: Basic ... I get HTTP 401 and the basic authentication deprecation notice. Just trying things, I tried `-H “Authorization: Bearer …” and that returned a 404 instead of a 401. Is Bearer authorization more correct than Basic?
I’m also unsure about the REST API URL. I’ve been trying <my-domain.atlassian.net>/wiki/rest/api// and <my-domain.atlassian.net>/rest/api/content/, both with no success. Any suggestions on API URLs are welcome too.
Thanks for stopping by @iragudo. Do you have any comments on this issue?
Reading more docs https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContentById, it says that the API will return 404 if the user is not authorized, so in my tests above using Bearer authorization the encoded username:api-token is getting interpreted as the old personal access token and failing to authenticate.
Yes, the cURL -u switch will do the base64 encoding of a username:token pair for you, then cURL will put that resulting string into the authentication part of the header for you.
Alternatively, yes, if you already know what the base64 encoded string is, you would omit the -u switch and use the -H switch to put that directly into the header, like:
If I understand what you’ve said, and the Confluence documentation, using the -u switch and using an authorization header with the base64 encoded credentials both perform ‘basic authentication’. Am I to understand that only basic authentication with user account passwords has been deprecated? Basic authentication with an API token should still work? When I get a http 401 using curl, with the message “Basic authentication with passwords is deprecated,” is that a notice only, and not an error?
Are there any other methods for testing that authorization with API tokens works?
This documentation link is for the Confluence server; the Confluence Cloud REST API counterpart can be found here.
This is an error and not a notice. This is also returned if the API token you used is incorrect. You can try creating a new API token and running the script.
I tried the following script on my terminal and it works as expected,
curl -X GET https://my-instance.atlassian.net/wiki/rest/api/content -H 'Content-Type: application/json' --user 'ian_email@atlassian.com:API_TOKEN'
In order to have a better understanding of where you are currently, can you share the script you are using (with the credentials redacted)?
Thanks @iragudo for the contribution! I think my problem was the URL. I can do a GET using basic auth with curl now. Thanks for clarifying which API documentation I should be referring to.