How can i get attachement(img) with oauth?

Hi. I’m trying to get image from confluence contents.
I made some app and i using oauth2.0 for user auth.
So… i want take attachement(img) like this url.

curl --location --request GET ' ' \
--header 'Authorization: Bearer somethingoauthtoken'


but i got response

    "code": 401,
    "message": "Unauthorized; scope does not match"

i already set scopes

‘read:confluence-space.summary read:confluence-content.all read:confluence-content.summary read:confluence-props’

or is it unpossible get image with oauth bearer token?

if anyone have experience about this problem plz help me…


I can get attachement by Basic authorization(like… token made with [email] + [api_key]) but i need get attachement by oauth token.

As of now, we do not support 3LO for downloading images. We are aware of this and are looking into it but have no ETA for the support.


@JatinChopra Is there a public Jira Ticket the community can watch and vote for this issue?

I don’t think we have one already, so I created this -



@JatinChopra Thanks for create issue.
By the way i wonder… In order for the issue to move forward, what criteria must be met?

Hi @GeunCheolYeom , we’ll continue to monitor vendor asks and reassess the priority for all open tickets based on votes amongst other critical projects the developers are working on. As of now, we do not have an ETA for this issue.

Also, we didn’t break anything as downloading attachments via 3LO was never a supported feature. We did a vulnerability patch which broke vendor apps using undocumented download attachment API. Those download links were and continue to work using Basic Auth.


It’s one thing to make this change intentionally, especially in the name of security, but to deny that you broke something is absurd (particularly when you have not provided an alternative solution). Try asking Linus Torvalds when it’s ok to break user space in Linux, for any reason, including bug fixes.

Any healthy platform and its APIs should look to the wildly successful Linux kernel (or any of the major OSs for that matter) for best practices around the handling of regressions. Atlassian seems to lack a consistent culture in regards to viewing your platform this way, and your ecosystem suffers greatly because of it.


Hi @BobBergman,

It is true that this was an abrupt change, which we sometimes have to do for security reasons. We have an alternative in the works in order to address this gap specifically with downloading attachments, but it will take a bit more time to complete. We are in no way denying that the change may have broken the experience for vendors and customers, but we are specifying that the documented approach should be to use the API gateway rather than direct tenant access for exactly cases such as this. In any case, we are sorry for the impact this has caused and are working to remedy it.



To add to what @PeterObara mentioned, please refer to the current incident in statuspage Atlassian Developer Status - Attachments download using OAuth in Confluence and refer to it for updates in the next days.

Thank you,


I am using OAuth token but unable to hit APIs using domain although able to do it using{cloudid}/{api} . Is this expected behaviour?

Hi @ShwetaGulati, this is the change that was recently made. All API calls must go through



As of now, there’s a new OAuth option for attachments. Thanks to all for input and feedback.

1 Like

finally i can download attachment with OAuth 2.0(3LO). My app work now. Thank you all!

1 Like