-
Type:
Bug
-
Resolution: Invalid
-
Priority:
High
-
Component/s: Work Item - Search - Backend - JSIS
-
1
-
Severity 2 - Major
-
Warranty
Issue Summary
Calling the /rest/api/3/search/jql endpoint with scoped tokens doesn't return values with AUTHENTICATED_FAILED
Steps to Reproduce
- Use the Search for issues using JQL enhanced search (GET) endpoint with Scoped Tokens (https://id.atlassian.com/manage-profile/security/api-tokens) to create a request to run a JQL search in Jira. For example:
https://atl-test-rbes.atlassian.net/rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36
Scope:
Classic RECOMMENDED:read:jira-work
bash-3.2$ curl --request GET \ > --url 'https://atl-test-rbes.atlassian.net/rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36' \ > --user 'account:token' \ > --header 'Accept: application/json' {"issues":[],"isLast":true}bash-3.2$
Or scope:
Granular:read:issue-details:jira, read:audit-log:jira, read:avatar:jira, read:field-configuration:jira, read:issue-meta:jira
curl --request GET \ --url 'https://atl-test-rbes.atlassian.net/rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36' \ --user 'account:token' \ --header 'Accept: application/json'
Expected Results
The search should return:
{"issues":[{"id":"14597"}],"isLast":true}bash-3.2$
Actual Results
{"issues":[],"isLast":true}bash-3.2$
Verbose call:
Scope Classic RECOMMENDED: read:jira-work
bash-3.2$ curl -v --request GET \
> --url 'https://atl-test-rbes.atlassian.net/rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36' \
> --user 'account:token' \
> --header 'Accept: application/json'
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host atl-test-rbes.atlassian.net:443 was resolved.
* IPv6: (none)
* ALPN: curl offers h2,http/1.1
* [HTTP/2] [1] OPENED stream for https://atl-test-rbes.atlassian.net/rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: atl-test-rbes.atlassian.net]
* [HTTP/2] [1] [:path: /rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: application/json]
> GET /rest/api/3/search/jql?jql=project%3D"BOB%20TEST"%20and%20key%3Dbt-36 HTTP/2
> Host: atl-test-rbes.atlassian.net
> User-Agent: curl/8.7.1
> Accept: application/json
>
* Request completely sent off
< HTTP/2 200
< content-type: application/json;charset=UTF-8
< date: Wed, 24 Sep 2025 13:40:30 GMT
< server: AtlassianEdge
< timing-allow-origin: *
< x-arequestid: 1ef39cb4c587f076a0ab3b7973ddbadb
< x-seraph-loginreason: AUTHENTICATED_FAILED
< set-cookie: atlassian.xsrf.token=125ee57fb8ee3ed6f40eb2fbdc5a2672489a0396_lout; Path=/; SameSite=None; Secure
< cache-control: no-cache, no-store, no-transform
< vary: Accept-Encoding
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< atl-traceid: 0acda6297f8a405bac72a64acbed586a
< atl-request-id: 0acda629-7f8a-405b-ac72-a64acbed586a
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< report-to: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
< nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
< x-cache: Miss from cloudfront
< via: 1.1 6417444f186fcad59e9411723c25d4ee.cloudfront.net (CloudFront)
* Connection #0 to host atl-test-rbes.atlassian.net left intact
{"issues":[],"isLast":true}bash-3.2$
Workaround
Currently, the workaround is to use the CREATE API TOKEN option without scopes in https://id.atlassian.com/manage-profile/security/api-tokens.