A pop-up survey could appear while you're here --curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

OAuth 2.0 app getting "access_denied - Unauthorized" when connecting to Rovo MCP server.

Abdullah Baig
Abdullah Baig
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 19, 2026

We are building a custom webapp and trying to connect to the Atlassian Rovo MCP server using OAuth 2.0 (Authorization Code + PKCE) for per-user authentication.

We have:
✅ Created an OAuth 2.0 app in the Atlassian Developer Console
✅ Added our domain to the Rovo MCP server domain allowlist in Atlassian Administration
✅ Completed the OAuth PKCE flow successfully — token obtained
✅ MCP session initializes successfully (Session ID assigned)
✅ Direct Atlassian REST APIs work perfectly with the same token:
- GET api.atlassian.com/me → 200 OK
- GET Jira /rest/api/3/project → 200 OK
- GET Confluence /wiki/api/v2/spaces → 200 OK

❌ Every Rovo MCP tool call fails with:
"We are having trouble completing this action. Please try again shortly."

❌ Rovo search tool specifically returns:
"We couldn't verify your connection settings.
Please contact your administrator for assistance."

❌ When attempting token exchange via our platform:
"token request failed: OAuth error: access_denied - Unauthorized"

❌ Dynamic Client Registration returns 404 — not supported

The token is clearly valid for all Atlassian REST APIs. The rejection
is happening specifically at the MCP server layer.

We believe the issue is that our OAuth client_id is not registered as
a trusted client on the MCP server side — similar to how ```cursor.mcp```,
```mcp.docker.com```, ```claude.ai``` etc. are on the official supported domains list.

Questions:
1. Is there a process for third-party platforms to register their
OAuth client_id as trusted with the Rovo MCP server?
2. Is adding a custom domain to the allowlist sufficient, or does
the OAuth app also need to be registered separately with Atlassian?
3. Is there an official partner/whitelisting program for this?

Reference: Similar issue reported here:
https://community.atlassian.com/forums/Jira-questions/Connecting-Atlassian-Rovo-MCP-with-a-custom-webapp/qaq-p/3204705

Related feature request: AI-1194
https://jira.atlassian.com/browse/AI-1194

Official docs referenced:
https://support.atlassian.com/security-and-access-policies/docs/understand-atlassian-rovo-mcp-server/
https://support.atlassian.com/security-and-access-policies/docs/available-atlassian-rovo-mcp-server-domains/

Answer
Watch
Like Be the first to like this
138 views

2 answers

1 vote
Arkadiusz Wroblewski
Arkadiusz Wroblewski
Community Champion
June 21, 2026

Hi and welcome to Atlassian Community @Abdullah Baig 

Working token for standard Jira or Confluence APIs doesn't mean the Rovo MCP layer is automatically cleared, MCP enforces its own separate security checks.

An admin should go to Atlassian Administration ➔ Rovo ➔ Rovo MCP server to verify your domain pattern matches exactly (e.g., https://your-domain.com), Read/Search permissions are enabled for both products, and your OAuth scopes align.

If those settings are correct but you still get that generic error, it's likely a backend validation failure (You know....  with backend failures, you're often unsure until Atlassian validates them).

You'll need to open a ticket with Atlassian Support and share your MCP session ID, cloudId, timestamp, and the specific tool call that's failing. 

Best,

Arkadiusz 🤠 ☀️

Reply
0 votes
Anwesha Pan
Anwesha Pan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
June 23, 2026

Hi @Abdullah Baig 👋🏻

First of all, welcome to community! ✨

I think Rovo MCP server expects OAuth 2.1 authentication rather than standard 3LO OAuth 2.0.

Alternatively, your admin should be able to set this up:

  1. Go to Atlassian Administration > Security > Rovo MCP Server Settings.
  2. Enable Allow API token authentication.
  3. Have your users generate and use Rovo-scoped API tokens instead of trying to pass OAuth 2.0 bearer tokens to the MCP endpoint.

The answers to your specific questions:

  1. Is there a process for third-party platforms to register their OAuth client_id as trusted with the Rovo MCP server?
    Not currently. Atlassian’s Remote MCP Server is designed to exclusively support Atlassian-approved MCP clients (e.g., Cursor, Windsurf, VS Code, Claude).
  2. Is adding a custom domain to the allowlist sufficient, or does the OAuth app also need to be registered separately with Atlassian?
    Allowlisting your domain is only half the battle. Because the MCP auth server won't issue tokens to custom 3LO apps, the app must also be registered as an official MCP client.
  3. Is there an official partner/whitelisting program for this?
    There is no public self-service partner program to register custom OAuth client IDs for the remote MCP server.

I hope this helps & answers your question. 🙂

Thanks,
Anwesha

Reply

Suggest an answer

Log in or Sign up to answer
Rovo Atlassian Intelligence
Rovo
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security