How does work "Get my permissions" when called anonymously?

Hi community,

Trying to call the my permission end-point to get permissions for the connected user from my connect app (registered in a Jira cloud for dev env), it’s not working properly, always returning false for all the permissions I check, even when a site admin is connected.

What I don’t understand is : how does Jira know which user is asking to know their permissions since the API doesn’t mention any parameter nor header helping identifying the user ?

Thanks to help me to understand how this works :slight_smile:
Best regards,

Jira knows the user from the authorization of the user. E.g. from the authorization header. The user is not in the API route.

Hi Marc, thanks for your answer.
By the authorization header, in my case of an app using JWT, you mean I should also add this authorization JWT header to the call.
I tried but then I got a 401 on the call.
Maybe I misunderstand something.

Yes, you must add the header to the API call.

You can also, for testing, use the basic auth header used in the example code in the documentation. That should get you started and return another value than false.

Ok, I’ll try with an API key but that’s weird I got a 401 when I add the auth header with the user JWT I got from Jira …

So … I tried with an API token and it worked fine.
But my app can’t use API tokens from all our customer Jira instances ! I need to have it working properly with the JWT sent by Jira for the connected user. Am I only supposed to add a HTTP header :

Authorization: JWT <the_jwt_got_from_Jira_call>


The Atlassian connect frameworks have a method to add the authorization header for you.

See Connect app authorization

Yes, but unfortunately my app was written without this framework so I need to write it on my own.

I finally managed to have something working (no more 401) by building the usual JWT with qsh we used to query Jira API, not reusing the JWT sent by Jira admin page.
But … again, Jira doesn’t know who is asking so answering always yes (based on the shared secret ??) to the question : has the user ADMINISTER permission ?

Any other idea ? :slight_smile:

So, I moved to the API call get bulk permissions using the accountId to check instead.
But still, understand how to call get myPermissions in details from a connect App is interesting and useful :slight_smile: