Plugin REST module anonymous access

Hey community,

I’m writing a REST plugin module to handle an incoming webhook. The request does not carry an authorization header, so I annotated the method in the rest servlet with @anonymousAllowed as described in the atlassian-rest-api-design-guidelines docs. However, during testing I get a 401 unauthorized response.

My first guess was that the permission scheme does not allow anonymous (there are no ‘anyone’ roles defined), but considering this is a custom plugin, shouldnt the annotation supersede this configuration?

If I were to change the scheme, wouldn’t this expose other methods in the standard api? Is there a way to only allow my methods anonymous execution?


Just recently I had to deal with the bug in my add-on related to authentication in addon REST api.

Everything what you have mentioned about AnonumousAllowed annotation worked fine for me. Also you are right that project’s permission scheme doen’t affect/enforce authentication of Rest api endpoint.

In my case I had to mark GET requests with amonumousAllowed because if project was opened for public access the on issue view request to my api failed.

You can mark individual methods of your api as “public” and it has no side effects on any other system or addon rest api.


Using the rest api browser tool I found that all my custom rest apis are considered private to the system.
I have not found how I would declare an api public though.
I tried annotating the class instead of the individual methods, but this did not help.

This makes me wonder whether there is some other way to process incoming webhooks.
If this is the case, a link to that documentation would be appreciated.

I found the problem: by default Jira demands that all incoming request (from outside application pages) are whitelisted. You can either turn this function off, or add the incoming webhook origin pattern to the whitelist. Both options are done in the Admin>System>security>whitelist section.