We are using the Atlassian Rovo MCP integration and have enabled all available read and search scopes in the Rovo MCP settings UI. Despite this, every Confluence tool call fails at runtime. It was working previously but suddenly has stopped and we're not sure why.
What works
- getAccessibleAtlassianResources — returns our site correctly, with cloud ID 8f2d4697-... and site URL creativeforce.atlassian.net
However, the response only lists two scopes on the token:
- read:confluence:agent-interface
- search:confluence:agent-interface
What fails — all with the same error
Every other Confluence tool returns:
Authentication failed: {"code": 401, "message": "Unauthorized; scope does not match"}
This includes:
- getConfluenceSpaces
- getPagesInConfluenceSpace
- getConfluencePage
- getConfluencePageDescendants
- searchConfluenceUsingCql
- getConfluencePageFooterComments
- getConfluencePageInlineComments
- getConfluenceCommentChildren
Additionally, the generic search (Rovo Search) tool returns a different error:
Access denied. Your account does not have permission to search Jira or Confluence content.
Our questions
1. Are read:confluence:agent-interface and search:confluence:agent-interface the only scopes Rovo MCP ever provisions, or should additional scopes such as read:confluence-content:confluence be present on the token when those settings are enabled?
2. Is there a known issue where enabling scopes in the Rovo MCP settings UI does not propagate to the runtime token? Is a disconnect/reconnect or manual token refresh required?
3. Why does getAccessibleAtlassianResources succeed while all other Confluence tools fail — does it use a different auth mechanism or endpoint?
4. Why does the generic Rovo search tool return a 403 (access denied) rather than the 401 (scope mismatch) that all other tools return? Does this tool require a separate permission grant?
5. What is the correct set of scopes required for each Confluence MCP tool, and where can these be verified?
Any suggestions?
Hi @dakota
Welcome to the community!
As of June 30, 2026, the old /v1/sse endpoint is no longer supported.
If your integration is still pointing at https://mcp.atlassian.com/v1/sse, you'll need to update to https://mcp.atlassian.com/v1/mcp. The old endpoint may still partially work for auth but fail on tool execution.
ah ha! We were pointing to https://mcp.atlassian.com/v1/mcp/authv2 based on this https://support.atlassian.com/atlassian-rovo-mcp-server/docs/troubleshooting-and-verifying-your-setup/ and that seems to have been causing the issue. We removed the "authv2" and all is gold now.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Same for me, that does not work for me neither.
I can reproduce those same 5 points above, when setting the Rovo MCP in Coder
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have the identical problem as @dakota
I'm using Open WebUI to include the Rovo-MCP Server and I need the https://mcp.atlassian.com/v1/mcp/authv2 url to register via OAuth2.1.
It is possible to use the tools getAccessibleAtlassianResources or atlassianUserInfo but getVisibleJiraProject or the general search tool always throw "access denied".
I can only repeat the questions from my previous speaker:
1. Are read:confluence:agent-interface and search:confluence:agent-interface the only scopes Rovo MCP ever provisions, or should additional scopes such as read:confluence-content:confluence be present on the token when those settings are enabled?
2. Is there a known issue where enabling scopes in the Rovo MCP settings UI does not propagate to the runtime token? Is a disconnect/reconnect or manual token refresh required?
3. Why does getAccessibleAtlassianResources succeed while all other Confluence tools fail — does it use a different auth mechanism or endpoint?
4. Why does the generic Rovo search tool return a 403 (access denied) rather than the 401 (scope mismatch) that all other tools return? Does this tool require a separate permission grant?
5. What is the correct set of scopes required for each Confluence MCP tool, and where can these be verified?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @Sascha Schempp if it helps, I just used https://mcp.atlassian.com/v1/mcp and it worked (also with OAuth2.1).
But I second your questions. It'd be good to know.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunately, this doesn't work for me :(
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
had this very issue. Do the following:
1. Go to https://id.atlassian.com/manage-profile/apps and delete OpenWebUI app
2. Go to openwebui and delete the jira tool
3. create jira tool again with NEW ID - and make sure you use https://mcp.atlassian.com/v1/mcp when you register the client.
then when users do authentication, they will be presented legacy-scoped dialog - not the new one from ROVO - and everthing started to work for me. Wasted 3 hours on this :(
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This worked!
Awesome, thank you very much for your help!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.