HTTP Basic authentication

Owned by Mari Fuglem
Last updated: Aug 24, 2023
2 min read

Users can by default authenticate using an HTTP Basic Auth header with the rest API using their password.

Prevent HTTP Basic Authentication

To avoid use of password in REST integrations, prevent Basic Authentication. When prevented, it is no longer possible to authenticate to the Confluence REST API with password in Basic Auth.

Allow Basic Auth for users in specific user directories or groups

You can allow Basic Auth passwords for users in specific directories or groups. Any user either matching a configured group or directory will be allowed to use Basic Authentication.

Allow or deny Basic Auth for specific IP addresses

In addition you can allow or deny Basic Auth API requests for users with specific IP addresses or subnets. Open and Strict mode enables you to control in detail which IP addresses can use password in Basic Auth REST API requests.

Note that the IP address is checked first, then the group/directory memberships.