Confluence REST API to remove anonymous access to a space/page

Hi All,

I am looking for an API that can be used to remove the anonymous access to a space or a page.

I tried using the API Remove space permission mentioned in the documentation, but I was getting “Scope doesn’t match” in the response.

Not sure if this is due to the access restriction mentioned - “Apps cannot access this REST resource - including when utilizing user impersonation”

Can someone please suggest if there is any workaround provided for this?


Hi @Ravi90,

The only way to do this is to create a user token, as documented in

Then find the id of the permission. You can do this with

curl --silent --user <email>:<token> --request GET --url 'https://<sitename>{spaceKey}?expand=permissions'

And look for an entry that has "anonymousAccess": true

      "id": 1463877633,
      "operation": {
        "operation": "read",
        "targetType": "space"
      "anonymousAccess": true,
      "unlicensedAccess": false

And then call with HTTP DELETE, using the id

curl --silent --user <email>:<token> --request DELETE --url 'https://<sitename>/wiki/rest/api/space/{spaceKey}/permission/1463877633'

Hope this helps.


@jrichards, thanks for the quick response.

When I tried above, it gives me the following response

{"statusCode":403,"data":{"authorized":false,"valid":false,"errors":[{"message":{"translation":"User isn't authorized to modify permissions.","args":[]}}],"successful":false},"message":"com.atlassian.confluence.api.service.exceptions.PermissionException: User isn't authorized to modify permissions."}

The user I was trying to use is an admin user and all the permissions have been set to use the REST APIs for this user.

Any idea why this is still happening?


Sorry @jrichards, it was my bad. I didn’t remove the bearer token from the header while trying this. This seem to have worked after removing the authorization header.

Thanks very much for the help.


1 Like

Hi @Ravi90,

Thanks for the update. Basic authentication curl --user <user>:<token> doesn’t need Bearer token as it’s using Basic authentication in the headers (which you can see with curl --verbose). Bearer tokens are usually for Connect apps.

Anyway, glad to see it’s all working now.


Got it @jrichards