A pop-up survey could appear while you're here --curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

OAuth 2.0

AutomationUIUser
AutomationUIUser
June 16, 2026

We are implementing OAuth 2.0 Authorization Code flow for authentication with Jira (Jira Service Management / Jira Cloud).

During the flow, our application receives an authorization code after the user grants consent. We would like to understand the validity and behavior of this code in more detail.

Could you please clarify:

  1. How long is the OAuth 2.0 authorization code valid after it is generated?

  2. Is the authorization code single-use only, or can it be reused within its validity window?

  3. Does the code expire immediately after first use or after a fixed time period (for example, a few minutes)?

  4. In case the code is not exchanged for an access token within the validity period, is a new authorization request required from the user?

Answer
Watch
Like Be the first to like this
39 views

1 answer

1 accepted

1 vote
Answer accepted
Germán Morales _ Hiera
Germán Morales _ Hiera
Atlassian Partner
June 16, 2026

Hi @AutomationUIUser , one caveat on sourcing first: Atlassian's 3LO docs walk through the authorization code flow but don't publish an exact lifetime or a single-use guarantee for the authorization code itself. The only expiry they document is on the access token, via expires_in. So the code's behaviour follows the OAuth 2.0 standard that Atlassian implements, which answers your four points:

  • Lifetime: short and not officially specified by Atlassian. OAuth 2.0 recommends a maximum of about 10 minutes, so don't build around a fixed window, exchange it as soon as you receive it.
  • Single-use: yes. It is meant to be exchanged once, and a second exchange with the same code is rejected.
  • Expiry behaviour: both apply. It becomes invalid immediately after a successful exchange, and it also expires on its own if you never use it.
  • If it expired or was already used: yes, send the user through the authorize step again to get a fresh code. To avoid re-prompting for ongoing access, request the offline_access scope and keep the refresh token, since the access token lasts about an hour and the rotating refresh token stays valid for 90 days.

Reference: Implementing the authorization code flow.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security