Skip to main content

Example: Authorization

Compatibility

This example is for both Jira and Confluence versions of Web Triggers.

By default, the URLs provided by Web Trigger have no built-in authentication. As such, anyone who has the URL can invoke its related function without providing an authentication token. You should keep these URLs secure. Alternatively, you can implement authentication logic inside the trigger itself.

For example, you can add a check for an authorization header in the request and validate the provided token against an expected value.

Production security

Never hardcode real secrets directly in your script code. In the example below, EXPECTED_TOKEN is a placeholder β€” in a production environment, store secrets securely using the Secrets app or another secrets management solution, and load the value at runtime.

/* no import needed β€” 'api', 'route', 'fetch', 'authorize', 'request' are available as global variables */

// TODO: replace with a value loaded securely at runtime β€” never hardcode real secrets
const EXPECTED_TOKEN = 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==';

if (request.headers['authorization']?.[0] !== EXPECTED_TOKEN) return ({
    statusCode: 403,
    statusText: 'Not Permitted'
});

return ({
    statusCode: 200,
    statusText: 'OK'
});