Embed Notice

@soatok I'm curious your thoughts on usability in the space. You've shared some of them, but I tripped over something this week and I thought you might be interested.

I tried adding scope to an API token I had Atlassian generate for me, and the scoped token wouldn't work. I bashed my head against the problem for awhile: peeled apart the library I was using to find the actual URLs it was hitting, confirmed the scopes I'd assigned should match that URL, confirmed an unscoped token worked... It finally turned out that the issue was if you're using a scoped token, you have to hit an entirely different hostname and top-level path in the URL; they have a slightly different API for the requests with scoped tokens.

At that point I gave up and used an unscoped one because nobody in IT was forcing me to use scoped, I just liked the idea that my token intended to read JIRA tickets couldn't also delete them, but I don't care enough to rewrite my API library.

How do we balance security and usability? Is there even a rule of thumb?

(Also, if you ever hear what the first twelve characters in an Atlassian API token mean, I'd love to find out. I had to generate five tokens while testing this problem, and they all started with the same twelve characters... My guess is it's a customer-identifier specific to my company, but I haven't had time to pin down a coworker long enough to have them generate a token to compare with).