Hi Folks,

Overview: We've a requirement here where external cloud application (Plutora) make calls to our JIRA rest API in order to access the data in JSON format. We've our organisation specific API Gateway and all calls from external to internal application is via our API Gateway. As part of security policy, all the calls needs to be secured by Basic Authentication.

Problem Statement :

From the testing API Standards, the expectation is that for any rest API is to expect the 'Authorization' header for each call. Below are the test steps that been followed and need your support in this for resolution
Step 1. When the first call made to API (/rest/api/2/search?jql=<jql-query>&fields=<field-query>&maxResults=<maxResults-query>) without any 'Authorization' header, the JIRA API responds as 200 Ok with below JSON response :
{
"startAt": 0,
"maxResults": 10,
"total": 0,
"issues": []
}

As part of our API Standard in our Organization, the result should return as 401 (Unauthorized).

Step 2. When the call made with 'Authorization' header, the JIRA API responds as 200 Ok with the expected JSON response.
Step 3. The next call made without any 'Authorization' header, the JIRA API responds as 200 Ok with the same response as above in Step-2. The expectation is 'JIRA' should return 401 error code.

Please let us know if there is any way we can enable the JIRA API to behave as per our requirement. The only case where we see 401 is when the first call made with wrong credentials as part of Basic base-64 credentials.

Regards,

Amar