API tokens allow remote agents to establish personalized integrations with Atlassian applications and installed third-party apps.

More secure than HTTP Basic Auth

API Tokens have several benefits over traditional basic auth, including:

Minimal changes are required if you want to replace existing basic auth integrations with API tokens, as you only need to replace the passwords with a token value. Kantega SSO Enterprise also allows you to disable HTTP basic auth integrations altogether.

Remember that the API tokens grant access to make requests on behalf of a user, and these values should be considered as sensitive as passwords. They should not be shared or distributed to untrusted parties. All requests should also use HTTPS endpoints.

Manage API tokens

Admin users can manage tokens by opening the Kantega SSO configurations and click API Tokens under API authentication in the Common menu.

Security control

Admins can restrict and control the usage of API tokens in terms of:

As an admin, you will be able to see all API tokens, also those created by other users.

Given the restrictions in the image above, only certain users that are members of token-users are allowed to create tokens, and the maximum duration they can set is 90 days.

Create tokens

When non-admin users are allowed to create API tokens, they will find a Manage API tokens link in their top-right user menu (as shown below)

To create a token, you specify a token name (alias), select how long the token should exist, and click Generate token. As admin, you can create tokens and view all existing tokens like shown in the image below. Also notice in the below table that the token created by the user stelin is deactivated, because this user is not a member of the token-users group.

You will then see a dialog window where the actual token value is exposed. Copy this value and apply it in your remote client integration setup.

You are only allowed to create tokens related to your user account. To create tokens for other user accounts, you must log in with the relevant user and then create tokens.

Use an API token

Below follows several examples for how to construct HTTP request with API tokens in various programming languages:


curl -u username:my-api-token https://jira.example.com/rest/


const response = await fetch('https://jira.example.com/rest/', {
  headers: {
    'Authorization': `Basic ${btoa(`${username}:${my-api-token}`)}`
const result = await res.json();
const http = new XMLHttpRequest();
const url = 'https://jira.example.com/rest/';
http.open("GET", url, true, username, my-api-token);
http.withCredentials = true;


      'auth': {
         'user': 'username',
         'pass': 'my-api-token'


r = requests.get('https://jira.example.com/rest/', auth=(username, my-api-token))


HttpClient client = HttpClientBuilder.create().build();
HttpPost post = new HttpPost("https://jira.example.com/rest/");
String encoding = Base64.getEncoder().encodeToString((username.concat(":").concat(my-api-token)).getBytes("UTF-8"));
post.setHeader(HttpHeaders.AUTHORIZATION, "Basic " + encoding);
HttpResponse response = client.execute(post);