HTTP 401 when accessing some JIRA REST endpoints using JWT Bearer token


I am using JWT Bearer tokens to access JIRA REST API in my cloud add-on:

I can successfully get an access token from and I can use it to access some endpoints but not others. E.g. these are working:

  • /rest/api/2/configuration
  • /rest/api/2/search

But this is not (returns HTTP 401):

  • /rest/api/2/permissions

My addon’s permissions are:

 "scopes": [

These are the claims I set for the authentication service:

return jwtTokenGenerator.generate(PluginConstants.ATLASSIAN_AUTH_SERVER_TOKEN_PATH, HttpMethod.POST, (queryHash, documentRenderingRequest) -> {
						long iat = System.currentTimeMillis() / 1000;
						return new JwtBuilder()
								.expirationTime(iat + 60L)
								.issuer("urn:atlassian:connect:clientid:" + documentRenderingRequest.getOauthClientId())
								.subject("urn:atlassian:connect:userkey:" + documentRenderingRequest.getUserKey())
								.claim("tnt", config.getBaseUrl())

And the code I use to contact the authentication service:

private static String JWT_BEARER_URN = "urn:ietf:params:oauth:grant-type:jwt-bearer";
HttpClient httpClient = HttpClients.createDefault();
		HttpPost httpPost = new HttpPost(PluginConstants.ATLASSIAN_AUTH_SERVER + PluginConstants.ATLASSIAN_AUTH_SERVER_TOKEN_PATH);
		HttpEntity entity = new StringEntity(String.format("grant_type=%s&assertion=%s", JWT_BEARER_URN, assertionToken));

Am I missing something?

Thanks in advance.

1 Like

Let’s start by eliminating a couple of possible causes:

Are you adding the Authorization header to your request to the JIRA instance?

Authorization: Bearer {your-access-token}

Can you confirm that the JIRA user on whose behalf the request is being made is a JIRA Administrator? The /rest/api/2/permissions end-point is supposed to return 403 if the user is not an administrator, but maybe it returns 401 instead.

Another thought: do you really need to use JWT Bearer token authorization grant type to access the /rest/api/2/permissions end-point? Why not use a normal JWT request?


Yes, the header is correct (I am logging it to the console).
There is one user in my cloud developer account, “admin”. Running the code against /rest/api/2/myself returns:

  "self": "",
  "key": "admin",
  "name": "admin",
  "emailAddress": "",
  "avatarUrls": {
    "16x16": "",
    "24x24": "",
    "32x32": "",
    "48x48": ""
  "displayName": "Gábor [Administrator]",
  "active": true,
  "timeZone": "Europe/Berlin",
  "locale": "en_US",
  "groups": {
    "size": 4,
    "items": []
  "applicationRoles": {
    "size": 3,
    "items": []
  "expand": "groups,applicationRoles"

That’s a good idea. I ran some quick tests with a JWT header and token instead of a Bearer but still no success:

  1. /rest/api/2/configuration successfully returns:
  2. But if I change the URL (and nothing else) to /rest/api/2/settings/columns, I get a 403 Forbidden response.

When I am logged in as admin in my browser, the exact same URL works perfectly.

Please check that the JIRA user representing your add-on has JIRA Administrator permission. For example, in our test server we have this:

…and if you click on View Users, you see that the Risk Register add-on is a member of that group:

Hi David,

Thanks for your hint! I checked and it seems to be correct, my add-on is listed there:

So I will keep investigating…

Do you get any kind of error message in the body of the response?

The body contains an HTML page, this is the relevant part:

<section class="aui-page-panel-content">
                    <header class="aui-page-header"><div class="aui-page-header-inner">
                            <div class="aui-page-header-main">
                                    <h1>Forbidden (403)</h1>
                                </div><!-- .aui-page-header-main -->
                        </div><!-- .aui-page-header-inner --></header><!-- .aui-page-header -->
                    <div class="aui-message aui-message-warning warning">
                            <p>Encountered a <code>&quot;403 - Forbidden&quot;</code> error while loading this page.</p>
                            <p><a href="/secure/MyJiraHome.jspa">Go to JIRA home</a></p>
                </section><!-- .aui-page-panel-content -->

Not sure it will solve the problem, but please try again with the following header in your request:

Accept: application/json

Same results :frowning:

I am facing the same issue. Has this been resolved?