Starting with version 1.8.3 we are also allowing authentication with tokens on the attachment download endpoints for Jira and Confluence.
The workaround described below is not required anymore.

For best security practices we recommend enabling the Disable Basic Authentication with User Password option in the system-wide settings.
Enabling Disable Authentication with Session Cookies provides additional security but requires sending the authentication header with every request.


In order to download attachments, one needs to authenticate against a REST endpoint first and use the session cookie for the subsequent request to retrieve the attachment via the non-REST endpoint. Below are some Curl examples for Jira and Confluence.

Jira

Python

The Jira Python library provides some convenient methods to retrieve Jira content. Please see https://pypi.org/project/jira/ for installation instructions.
The following snippet shows how to authenticate with a user and API token and how to download attachments from an issue.

from jira import JIRA
 
username = "someuser"
apitoken = "sometoken"
download_folder = "/path/to/download/folder/"
server =  "https://<jira-base-url/"
 
jira = JIRA(basic_auth=(username, apitoken), options={'server': server})
issue = jira.issue(<issue-key>, fields='summary,comment,attachment')
 
for attachment in issue.fields.attachment:
    with open(download_folder + '%s' % (attachment.filename), 'wb') as file:
        file.write(attachment.get())
PY

Curl

Jira provides details about issue attachments on the following endpoint. The response JSON can be parsed to get the download URL.

https://<jira-url>/rest/api/2/issue/<issueIdOrKey>?fields=attachment
CODE


List attachments, get session from API Token authentication at the same time

The following call lists all attachment details for a given issue in Jira and saves the session cookie. You need to parse the JSON output to get the attachment download URL.

curl -c /path/to/some/folder/cookie-jar.txt -u username:apitoken "https://<jira-url>/rest/api/2/issue/<issueIdOrKey>?fields=attachment"
CODE

Use that session cookie for download or any subsequent calls

The below call shows how to use the session cookie again to download the file, using the download URL retrieved after parsing the response with the call before.

curl -b /path/to/some/folder/cookie-jar.txt "https://<jira-url>/secure/attachment/10100/portallog.jpg" --output /path/to/some/folder/portal_logo.jpg
CODE

Confluence

Curl

Confluence provides details about page attachments on the following endpoint. The response JSON can be parsed to get the download URL.

https://confluence-url/rest/api/content/<page-id>/child/attachment
CODE

List attachments for a page, get session from API Token authentication at the same time

The following call lists all attachment details for a given page id in Confluence and saves the session cookie. You need to parse the JSON output to get the attachment download URL.

curl -c /path/to/some/folder/cookie-jar.txt -u username "https://confluence-url/rest/api/content/<page-id>/child/attachment"
CODE

Use that session cookie for download or any subsequent calls

The below call shows how to use the session cookie again to download the file

curl -b /path/to/some/folder/cookie-jar.txt "https://confluence-url/download/attachments/1212445/sample.xlsx" --output /path/to/some/folder/sample.xlsx
CODE