Rentgen

What a Real Jira API Request Reveals Under Rentgen Testing

Tested with Rentgen · December 2025

Atlassian has been around since the mid-2000s. Jira is one of those tools that almost every developer has used at least once — and many still use daily.

No matter how many companies you change, Jira somehow always shows up again. And honestly — for good reasons. It’s a solid product.

An old developer once told me: “Jira is like heroin. Everyone hates it — but once you’ve used it, you can’t live without it.” That joke stuck with me because it’s painfully accurate.

So when you build an API testing tool, you don’t skip Jira.

What was tested

I tested a real Jira API request — creating an issue. No mocks. No guessing. No “example payloads”. I took a real cURL request, imported it into Rentgen, and ran the tests.

Import cURL → Send → Generate & Run Tests. Then I went to make coffee. When I came back, I had results.

Endpoint:

POST https://rentgen.atlassian.net/rest/api/3/issue?updateHistory=true&applyDefaultValues=false&skipAutoWatch=true

First impression: the basics are solid

Jira API request used as input for Rentgen
Rentgen Security Tests

Most recommended security headers are there. That’s good. That’s expected from Atlassian.

Clickjacking protection — missing

X-Frame-Options or frame-ancestors is missing.

Is this critical? No. Is this catastrophic? Also no. But if you ask an 8-year-old: this header tells browsers not to allow your site to be embedded inside someone else’s page and trick users.

Low severity. Easy fix. Still worth pointing out.

Where things start getting ugly

Unsupported HTTP method handling

When you send an unsupported HTTP method, the API responds with 403 Forbidden.

This is bad — because 403 means “you don’t have permission”. So what happens in real life? You check permissions, tokens, scopes, and debug auth for hours — until you finally realize: you just used the wrong HTTP method.

This should be 405 Method Not Allowed (or 501 Not Implemented). Returning 403 here is misleading and wastes time.

404 Not Found test — fails

Rentgen replaces the last path segment with a non-existent one and expects 404 Not Found. Instead, Jira returns 405 Method Not Allowed.

405 says “the resource exists, but the method is wrong”. 404 says “this resource does not exist”. These are very different situations — and mixing them breaks client logic, retries, and error handling.

Large payload test — the worst one

Expected: 413 Payload Too Large. Actual: 400 Bad Request.

Yes, 400 technically says “the request is bad”. But the problem is how the system gets there. The API accepts the full 10 MB payload, processes it, validates it — and only then rejects it. You can feel it in response time.

A proper implementation should reject immediately, drop the payload early, and return 413 without processing. This is a performance and resilience issue, not just semantics.

Performance

Jira API request used as input for Rentgen
Rentgen Performance Insights

Median response time is ~370 ms — perfectly fine. But with just 10 concurrent users, p50 jumps to 1331 ms and p90/p95 climb even higher. That doesn’t mean Jira is “slow”, but it does mean something interesting is happening under concurrency — and it’s worth digging deeper.

Data-driven tests: where Rentgen shines

This is always the most interesting part.

Automatic trimming test

Rentgen automatically checks whether input values are trimmed: if trimming works — the test passes; if trimming fails — it fails; if the value doesn’t come back in the response — Rentgen flags it as manual verification needed.

Jira API request used as input for Rentgen
Rentgen Trimm Test

In this case: 

body.fields.summary = " rentgen test 123 "

Result: informational. So I checked the UI. And yes — the value is not trimmed.

Jira API request used as input for Rentgen
Rentgen Trimm Test

Why is this a bug? Because invisible spaces break integrations, exports, comparisons, and create “ghost” issues nobody understands. Users don’t see spaces. Systems do.

Weak field validation examples

Some examples that stood out:

  • body.fields.priority.iconUrl accepts any string, even though it’s clearly meant to be a URL. Other developers will trust it and break UI later.
  • body.fields.duedate: “5555-01-02” is accepted. Semantically invalid. UI can’t realistically handle this.
  • query.applyDefaultValues is a boolean field. It rejects “true” as string and rejects null, but accepts 0 and converts it to false. Not critical. Not pretty. If a field is boolean — treat it like one.

Final thoughts

In about two minutes, without writing a single script, I got real protocol issues, real semantics problems, real performance signals, and real data validation gaps.

This is not “testing is finished”. This is where testing starts.

Rentgen doesn’t replace Jira testing. It forces you to see things you normally miss — before your users do.

Coffee well spent.