Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Has anyone successfully executed an Assets AQL API call using a service account in Jira Service Mana

Melbrin
Melbrin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 1, 2025


I’m trying to run the following endpoint:

 

POST /ex/jira/{cloudId}/jsm/assets/workspace/{workspaceId}/v1/object/aql

The call works perfectly when authenticated with my personal user account.
But when using a service/technical account, the exact same request fails (401 : insufficient_scope):


{
    "code": 401,
    "message": "Unauthorized; scope does not match"
}
To rule out permission issues, I already ensured that the service account has:

All JSM project permissions, including Create issue, Edit issue, Browse project, Service Desk Agent, etc.

Full Assets access on the workspace/schema (viewer + admin roles tested).

The OAuth scopes required for Assets, including:

read:cmdb-object:jira

read:cmdb-config:jira

Despite this, the AQL call still fails, while it succeeds for a normal user.

So my question is:

👉 Has anyone actually managed to make an AQL API call work with a service account on JSM Cloud?

If yes, could you share:

Which authentication method you used (API token, OAuth 3LO, Forge, Connect app, etc.)

Which scopes or permissions were required beyond read:cmdb

Whether a service account needs additional, undocumented permissions

Any limitations you’ve encountered with the new Assets API when using non-human accounts

Any working example (curl/Postman + config) would be extremely helpful.

Thanks a lot!

PS : I can create issues through API and read issues but can't still perform AQL.

Answer
Watch
Like # people like this
166 views

3 answers

1 accepted

4 votes
Answer accepted
Andrea Robbins
Andrea Robbins
Community Champion
December 2, 2025

Hello!

I got this to work in Postman. Please read the following steps I used and see if there's anything missing on your side:

 

1. Created an Atlassian service account.

2. Created an API token (Authentication Type API token)

3. I added all cmdb read scopes:

Screenshot 2025-12-02 at 6.39.55 AM.png

4. I added my URL into Postman as a POST request

https://api.atlassian.com/ex/jira/{cloudId}/jsm/assets/workspace/{workspaceId}/v1/object/aql?startAt=0&maxResults=50&includeAttributes=true - where the cloudId and workspaceId are the actual values

5. I used Basic Authentication with the email address of the service account and the api token value created.

6. Added the JSON body and added the required headers (Accept/Content-Type)

{

"qlQuery": "objectType = Cloud"

}
7. Went back to the schema and added the service account under Apps within the schema I want it to be able to access as an Object Schema Manager:
Screenshot 2025-12-02 at 6.52.20 AM.png
8. Ran it without any issues:
Screenshot 2025-12-02 at 6.53.26 AM.png
My guess is yours doesn't work because by default the includeAttributes query parameter is true, and if you don't have the scope to read that, it would fail.
View More Comments
Marc -Devoteam-
Marc -Devoteam-
Community Champion
December 2, 2025

Hi @Andrea Robbins 

Thank you for correcting me.

Like
Melbrin
Melbrin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 2, 2025

This is great ! It works perfectly !

Thanks a lot !

Like
Andrea Robbins
Andrea Robbins
Community Champion
December 2, 2025

Happy to know it worked! Thanks also for accepting the answer. I will say it is a very new feature both the service accounts and the ability to use it with assets (like the asset scopes).

Like
Reply
1 vote
Marc -Devoteam-
Marc -Devoteam-
Community Champion
December 2, 2025

Hi @Melbrin and @Matthias Gaiser _K15t_ 

Based on the API reference and the documentation around service accounts, in general.

The scope options on an API endpoint need the have defined granular scopes.

To my knowledge only the Jira Cloud platform, Jira Software and Jira Service Management API have these options

Not all API's or even API endpoints are usable with a scoped token.

Reply
1 vote
Matthias Gaiser _K15t_
Matthias Gaiser _K15t_
Community Champion
December 1, 2025

Hey @Melbrin

welcome to the Atlassian Community. I tried to do the same - and also failed right now. I'll ping some people to get more eyes on it.

Cheers,
Matthias.

View More Comments
Andrea Robbins
Andrea Robbins
Community Champion
December 2, 2025

Thanks for pinging! 

Like Matthias Gaiser _K15t_ likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Management
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security