Which authentication method to use for machine to machine access?

My organisation has a very simple requirement.

We want to grab all data from JIRA Cloud, like issues from all projects and so via REST API (not webhook) using our custom Python script.

There are several authentication mechanism, Basic Auth, OAuth2, Connect , Forge etc. I’m more than super confused on which method to use. Only Basic Auth makes sense, which we don’t want to use, as it’s a service that will use it and we don’t want any person to be attached to it, i.e. we need a machine to machine or service to service access. We could use a service user but it doesn’t provide any access scope, we don’t want to make a DL email admin or give them such access.

We tried OAuth2 but it looks like there is a person involved as well, don’t see any way of getting an access token without a logged in user interaction.

Connect seems even more confusing: not sure if it’s appropriate, don’t find any guide on how to create an integration/app, where to get the keys and secrets…

Any help is appreciated.

1 Like

Hello @MuhammadUsman

There is no single answer, as there is always a ‘person’ involved, since authenticating to the REST API requires a user’s credentials. The only difference is that OAuth is meant for applications that will present that user, a real person, with an interface to approve the application, whereas Basic Auth is meant for scripts where that user’s credentials (a key and a token) are either embedded in the script or looked up from another source.

There really isn’t a problem with having a service account set aside for your Python scripts to use for Basic Auth sessions. Once you generate the key / token for that service account, use some sort of hashing / encrypting method to encode it and then store it in a text file that only the scripts can access. When the Python scripts run, they just un-hash the information from the file, then use the extracted key / token for the session.

I personally like the idea of disposable service accounts; they can be set to have a limited lifespan and you can always delete and re-generate their keys / tokens if you think those credentials have become too widely known by transient staff.

1 Like