"Search for issues using JQL (GET)" does not return status 401

Hello,

The "Search for issues using JQL (GET)" REST API does not seem to return status 401 when requests are made without authentication credentials.

The documentation, which seems exactly the same for both v2 and v3, seem in contradiction about this, stating both that “This operation can be accessed anonymously” and also listing 401 as a possible response “Returned if the authentication credentials are incorrect or missing. This does not appear to be true.

Documentation for “GET /rest/api/2/search”:

Documentation for “GET /rest/api/3/search”:

  • (link removed as new users can only put up to 2 links per post)

Currently, I could only test with v2. The following JQL was used as a simple test:

  • JQL: “project =PROJECT_NAME”
  • https://<JiraServer>/rest/api/2/search?jql=project%20%3D%20PROJECT_NAME

And the results:

  • Without credentials (status 400):
    Response headers include: “X-AUSERNAME: anonymous”
    Data:
    {"errorMessages":["The value 'PROJECT_NAME' does not exist for the field 'project'."],"errors":{}}

  • With credentials (status 200):
    Response headers include: “X-AUSERNAME: <my_username>”
    Data:
    {"expand":"schema,names","startAt":0,"maxResults":50,"total":1234,"issues":[<the_expected_issues>]}

Note that the response data for the status 400 is very misleading, stating that “‘PROJECT_NAME’ does not exist” when in fact is does exist and is correctly retrieved when authenticated, as can be seen in the status 200 response data.

Is there a way to make “GET /rest/api/2/search” return a status 401 when not authenticated? Or even better, only when requesting something not available to “anonymous”. That would be really helpful.

Currently, “GET /rest/api/2/search” seems to always return status 400 for any kind of error, no matter if it was a JQL/syntax problem or an authentication issue. This is really unhelpful.

Because of this, an additional request to “myself” (which successfully returns status 401 when not authenticated) has to be performed every time to check whether the user is authenticated or not. Quite frustrating.

Thank you and best regards,
André Antunes da Cunha