A pop-up survey could appear while you're here --curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

As admin, I want to limit scopes for user-generated API keys

Nada O
Nada O
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 22, 2026

Hey, I looked through the open feature requests on https://jira.atlassian.com/secure/Dashboard.jspa and I couldn't find anything like this - but maybe it's there. 

As an admin, I can currently allow or disallow users to generate personal API tokens via authentication policies. That is, I can turn it on or off, and I can limit how many days before the token expires. 

Additionally, when users create these tokens, they can choose the scopes. 

What I would love to see is the ability for me as admin to limit the scopes my users have available to them. 

With the advent of generative AI tools, it's much easier to use the API, and I'm worried about well-meaning users accidentally deleting or modifying data. I would prefer to limit the majority of people to read-only scopes. 

Has anyone else found a workaround, or do you see this as a feature request we can upvote?

Comment
Watch
Like John Smith likes this
237 views

3 comments

Comment

Log in or Sign up to comment
Shanelle Boluyt
Shanelle Boluyt
Contributor
May 22, 2026

Irrespective of API, I’d recommend removing most users’ ability to delete tickets.  If you have Premium, you can give users the ability to Archive issues.  If you don’t have Premium, you can have a “mark for deletion” field or status, then have an admin review periodically (though personally I wouldn’t delete them.  I’d move them to another space that only admins can access.)  It’s been awhile, but I think you can give users access to create issues in a space without browse, so they could theoretically move them to a black hole space themselves (but an Admin can still retrieve them if they mess up).

Like
Reply
David Cowley
David Cowley
Contributor
May 22, 2026

We recently split our authentication policies so most users are blocked from creating API tokens, so that they have to request being moved to a new policy that allows them to use the API. In our efforts to have better knowledge and awareness of what they are doing, we've found some pages which we were previously unaware of (they might be recent additions...)

https://admin.atlassian.com/o/ORG_KEY/api-tokens

They have a few articles they link to there: https://support.atlassian.com/organization-administration/docs/track-user-api-token-usage-in-your-organization/

Also linking to Automation which allows for the Schedule revocation of stale API tokens of configured inactivity period (there's one for keys too). So it's a step in the right direction, but as far as I'm aware it's only inactivity that you can action easily now.

I would definitely support such a feature request.

It feels like a persistent gap in the Atlassian permissions model, where there are global level permissions that you cannot maintain granular control of, e.g. bulk permissions. Just these blanket all or nothing choices. It's unfortunate.

 

Like
Reply
Tim Martin
Tim Martin
Contributor
May 24, 2026

I'm with @Shanelle Boluyt on this one. The lines between UI and AI usage are being blurred anyway. So even if you could restrict API scopes, the person's account still has the means to perform the actions. Your energy would be better spent focusing on the operations and governance around deletion. Eg:

  • generally remove delete permissions and use other techniques to mark for deletion.
  • monitor for bad behaviour
  • define and test backup/restore capabilities for various scenarios. Communicate these clearly to your users. Eg, if someone accidentally deletes and issue, will you restore an entire copy of an instance to manually copy a single issue?

I am in favour of having more options as an Org admin though - so I still think you should submit a ticket. At least gives Atlassian a data point and they may end up approaching this risk from a different angle with AI tools.

Like
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security