You can secure your REST API by closing down a list of endpoints to only accept API tokens as the authentication method.
When your chosen REST endpoint paths are specified in your configuration, the only way to authenticate with these endpoints is using API tokens.
As shown in the image below, you can Restrict API Authentication, which enforces REST API authentication on all incoming requests to the REST API. The response to invalid credentials will be HTTP 401 UNAUTHORIZED. The Complete Lockdown will block all requests not containing valid API tokens and will break existing functionality if it is not applied with care (for instance, locking down the entire REST API will also compromise Jira’s internal queries to its REST API). The intention of the complete lockdown is for the case when you have a specific resource that is very sensitive.
You may also customize an error message that will come in the response message to clients that have received an HTTP 401 UNAUTHORIZED due to their credentials not matching a valid API token.
