Access TeamCity via REST API without passing credentials.

Hi there.

I've been reading up on the REST API and was wondering if there is a way to access the API without passing the username and password in the url? In other words, is there an alternative way to authenticate a user who wants to use the API without passing credentials in the url?

My concern is that passing the credentials as part of the url is a security risk since, in theory, someone could be sniffing the network and pick up this information.

Could someone advise me on this please?

Many Thanks.

Comment actions Permalink

It looks like this post has answered my question:

Rest API Authentication Integrated

Comment actions Permalink


If network sniffing is an attack you want to protect from, you should probably use https as othervise other security risks are actual in addition to leaked credentials.

There are only several ways to provide authentication with REST and none of them is secure at this time:
- use HTTP basic authentication (with httpAuth)
- access server as "guest"/unauthenticated user: use "guestAuth" prefix instead of "httpAuth"
- provide authToken in the URL (if enabled) - this is even worth then httpAuth

All these ways are mentioned on the REST API page.

Also, in theory one can login in the browser and then copy rememberMe cookie from the browser and send the cookie with each REST request.

There is a related issue in the tracker to ease and secure authentication: TW-14209.
I hope at some point we will be able to implement TW-3161 and REST will benefit from it.

Comment actions Permalink

Hi there :)

Thanks for your reply, that was really informative.

Yeah it would be great if a token based approach was made available, but in the meantime it looks like the best bet would be to still pass the username and password via the URL, but configure the server to use HTTPS. So at least then data would be encrypted over the wire.



Please sign in to leave a comment.