Jira Cloud: JQL search REST API returns 200 OK without API token

Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.

Summary

In this article, you learn why the Jira Cloud JQL search REST API can return HTTP 200 OK without authentication, what data (if any) is exposed to anonymous requests, and how to configure permissions to control that access.

Diagnosis

The Jira Cloud REST API documentation for the Search for issues using JQL endpoint states that:

“This operation can be accessed anonymously.”

“Permissions required: Issues are included in the response where the user has: read:jira-work, read:issue-details:jira.”

Reference: The Jira Cloud platform REST API

This means:

  • The endpoint itself does not require authentication to return a response.

  • The permissions check is applied per issue. Only issues the calling identity can see (including an anonymous identity) are returned.

Expected behavior

Yes, it is expected for the Jira Cloud Search for issues using JQL API to return HTTP 200 OK without an API token or other authentication, for this specific endpoint.

When you call: GET /rest/api/3/search?jql=project=ABC

without an API token or credentials:

  • The request can succeed with HTTP 200 OK.

  • The response includes only issues that are visible to the anonymous user.

  • If no issues are visible to the anonymous user, the response is a valid but empty result set, for example:

{ "expand": "schema,names", "startAt": 0, "maxResults": 50, "total": 0, "issues": [] }

Solution

Security and permissions

This behavior does not expose all issues in your Jira Cloud site.

  • Only projects and issues that are configured for anonymous access are returned.

  • On most Jira Cloud sites, anonymous access is disabled by default, so:

    • Unauthenticated calls typically return 200 OK with an empty list of issues.

    • You see issues only if your site admin has explicitly allowed anonymous access in project permissions.

If an issue is not visible to anonymous users (for example, because the project does not grant Browse projects to Anyone), it will never appear in the response to an unauthenticated request.

How to restrict anonymous access

If you want to prevent any data from being returned to unauthenticated requests:

  1. Ask a Jira site admin to review project permissions for each project.

  2. In the Permission scheme:

    • Remove Anyone (or other anonymous roles/groups) from:

      • Browse projects

      • Any other permissions that grant read access to issues or their fields.

  3. Save the permission scheme changes and ensure that it is associated with the relevant projects.

Once anonymous access is fully removed:

  • Unauthenticated calls to GET /rest/api/3/search still return HTTP 200 OK, but the response will contain no issues.

Updated on December 25, 2025
Platform
Cloud only
Apps
Jira Software Cloud
Jira Work Management Cloud
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community