You may be experiencing slow load times on the forum; the team is working to resolve this ASAP.

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Cloud OAuth 2.0: Are existing access tokens invalidated when a refresh token is used?

gopal guna
gopal guna November 5, 2025

Hi Team,

I’m integrating Jira Cloud REST APIs using OAuth 2.0 (3LO) and noticed some unexpected token invalidation behavior during automation.

Here’s my current setup:

  • I obtain an access token and refresh token via the authorization code flow.
  • The access token is used for various API calls (create issues, update project settings, etc.).
  • When the access token expires, my automation uses the refresh token to get a new pair of tokens (access + refresh).
  • I then replace the old refresh token with the newly generated one (since the old one becomes invalid).

However, I’ve observed that as soon as the refresh token is used, all existing API calls using the old access token start failing with 401 Unauthorized, even though the access token’s exp value still indicates 1 hour of validity.

So I wanted to confirm,

  1. Does Jira Cloud revoke all access tokens that were issued using a refresh token when that refresh token is used to obtain a new pair?
  2. Is this behavior part of Jira’s implementation of rotating refresh tokens, meaning that both the old refresh token and all access tokens derived from it become invalid?
  3. If so, what’s the recommended approach for handling this in multi-threaded or distributed automation (where multiple workers might still be using the old access token when a refresh occurs)?

This seems to explain why I occasionally get 401 Unauthorized errors right after a token refresh, even though the access token hasn’t yet reached its expiry time.

Thanks,
Gopal

Answer
Watch
Like Be the first to like this
76 views

2 answers

0 votes
Sunny Ape
Sunny Ape
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 5, 2025

Hello @gopal guna 

Does Jira Cloud revoke all access tokens that were issued using a refresh token when that refresh token is used to obtain a new pair?

No. Jira doesn't revoke access tokens (plural) that were (plural) issued when using a refresh token (singular). It only revokes the one access token (singular) that was (singular) issued when using a refresh token (singular) associated with the token.

This is why you have "...observed that as soon as the refresh token is used, all existing API calls using the old access token start failing"

That is OAuth 2.0 working exactly as it is supposed to.... one new access token and one new refresh token being issued per refresh request per each original OAuth token, and the prior access token become invalid.

Is this behaviour part of Jira’s implementation of rotating refresh tokens, meaning that both the old refresh token and all access tokens derived from it become invalid?

No. There are not multiple access tokens (plural) derived from a refresh cycle, only one access token (singular), as I previously described.

If so, what’s the recommended approach for handling this in multi-threaded or distributed automation (where multiple workers might still be using the old access token when a refresh occurs)?

As per my previous reply to that same question... don't use one, single OAuth token for multiple or concurrent automation workflows. Don't give one, single OAuth token to multiple workers. Each should have their own, separate token and refresh it individually.

To me, it sounds like you are generating a single OAuth access token, then using it for 'everything', then when any one of those things performs the required refresh cycle and gets the new access token, all the other things will somehow 'know' about that and somehow 'switch' to the new access token.... but you have created no mechanism by which that 'knowing and switching' process will happen with all those things.

Reply
0 votes
Marc -Devoteam-
Marc -Devoteam-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 5, 2025

Hi @gopal guna 

I think the answer on this is yes.

But I think the best is to raise this with Atlassian Support (you nee to be an admin in your instance to raise requests).

Otherwise your question could be answered in the Developer community.

But based on your label that you are on a free subscription, you don't have rights to support (this is stated in the free subscription agreement)

 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security