Correct authentication method for downloading attachments

Hi Community,

We are developing a third-party app for Jira Cloud in which we are acessing attachments of issues.
In the past we used Basic Authentication to get those, but recently, we have encoutered a problem so we started to use JWT authentication. It seemed like it has been resolved, but we have a customer, who reported that the he had no problem before the change, but it’s broken now.

How is that possible that one method works for some users, but not for the others? Is it possible that the Jira Cloud version is not the same for them?
Generally, what is the proper authentication method for getting the attachments?

Hi @ferenc.nagy,

We often use feature flags to roll out changes so it is possible for different customers to report different behaviour.

In the case of getting attachments, both authentication methods should work, but we recommend JWT over basic auth. Are the errors relating to permissions or something else?


Thanks for the information! It seems to be a permission problem, but we need to gather some more input from the customer.

1 Like

It looks like the problem solved itself, as the attachment access started to work for the customer. Thanks for your help!

1 Like

Thanks for circling back @ferenc.nagy. :slight_smile:

@dmorrow is downloading attachments supported via oauth? I cannot find any documentation on this issue and there are numerous completely ignored community posts asking this question.

Hi @aaron2,

Attachment downloading is supported via OAuth 2.0. I tested this with the following Forge app snippet:

    // Path obtained manually by retrieving issue data: /rest/api/3/issue/{issueKey}
    const contentPath = `/secure/attachment/10005/refapp-attachment.json`;
    const response = await api
    const responseData = await response.json();

I’ve created ACJIRA-2284 to ensure the API becomes documented.


@dmorrow thank you for the response, my mistake was I was passing in Bearer: <accessToken> instead of Bearer <accessToken>, which resulted in a redirect to JIRA’s login page. Thanks for following up and creating the ticket!

1 Like

Might add to that ticket that an error indicating the Authorization header is malformed rather a redirect to the login URL would make this a little easier to debug

1 Like