I’m creating Jira Service Management (JSM) requests via the Cloud REST API using OAuth 2.0 client_credentials. Steps and results (all identifiers redacted):
Get access token (client_credentials)
POST auth.atlassian.com/oauth/token with grant_type=client_credentials → 200 OK, token’s scope includes write:request:jira-service-management (plus many JSM read scopes).
Resolve site cloudId
GET https://<SITE>.atlassian.net/_edge/tenant_info with Authorization: Bearer <ACCESS_TOKEN> → 200 OK, returns cloudId = <CLOUD_ID>.
List request types
GET api.atlassian.com/ex/jira/<CLOUD_ID>/rest/servicedeskapi/servicedesk/<SD_ID>/requesttype?expand=fields → 200 OK, returns multiple request types (e.g., <REQUEST_TYPE_ID> for “Onboarding”).
Get fields for a request type
GET api.atlassian.com/ex/jira/<CLOUD_ID>/rest/servicedeskapi/servicedesk/<SD_ID>/requesttype/<REQUEST_TYPE_ID>/field → 200 OK, returns the portal fields (required/optional, option ids, etc.).
Create a request
POST api.atlassian.com/ex/jira/<CLOUD_ID>/rest/servicedeskapi/request with JSON body:
{ "serviceDeskId": "<SD_ID>", "requestTypeId": "<REQUEST_TYPE_ID>", "requestFieldValues": { "customfield_...": "...", "...": "...", "description": "Onboarding test" }, "raiseOnBehalfOf": "<REQUESTER_EMAIL>" }
Headers: Authorization: Bearer <ACCESS_TOKEN>, Accept: application/json, Content-Type: application/json
→ 401 with message: "Unauthorized; scope does not match".
Question / suspicion: Do JSM Customer APIs (creating requests, POST /rest/servicedeskapi/request) require a user-context token (OAuth 2.0 3LO / Authorization Code) linked to a user who has portal access (and agent permissions if using raiseOnBehalfOf), and therefore do not support app-only client_credentials tokens for write operations? The same client_credentials token successfully calls read-only endpoints (tenant info, request types, fields), but creation fails with the scope error even though write:request:jira-service-management appears in the token.
Environment & constraints (sanitized):
Cloud site: <SITE>.atlassian.net
cloudId: <CLOUD_ID>
Service desk id: <SD_ID>
Request type id: <REQUEST_TYPE_ID>
Using OAuth 2.0 client_credentials token that includes write:request:jira-service-management
No Basic/API-token auth; using only OAuth 2.0
Goal: Create requests programmatically (optionally using raiseOnBehalfOf)
What I need clarified / help with:
Can POST /rest/servicedeskapi/request be called with client_credentials (app context), or is a 3LO user token mandatory?
If client_credentials is supported, what exact scope or app access policy is additionally required to create requests on JSM?
Does raiseOnBehalfOf require the authorized user to be an agent on the service desk (which wouldn’t exist for an app-only token), explaining the 401 even with write scope?
If 3LO is required, can you confirm the needed setup:
Grant write:request:jira-service-management to the 3LO app,
Authorize a human or service user who has portal access (and agent role if using raiseOnBehalfOf),
Use the resulting user-access token to call the endpoint.
Expected outcome: Either confirmation that client_credentials cannot create JSM requests (and I must switch to 3LO user tokens / API token auth), or precise instructions/scopes to make client_credentials work for POST /rest/servicedeskapi/request.
Thanks in advance!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.