Jira Cloud API Token Permissions (How to limit permissions)

Hi @Nicolo 

I'm not an Atlassian, but very interested in the whole API/integration topic. Take the following with a grain of salt and definitely not as an official Atlassian position.

As far as i understand it, Atlassian's position is that users can create personal API tokens, the operative word here being personal – ie a token will also reflect the permissions of the user who created it. Any changes made using that token will therefore also show up as being made by the user. 

Oh, and just because it wasn't mentioned on this thread before: An API token is tied to the user, not the instance. If a user (say a contractor) has access to many instances, their API tokens do too. 

In short, the personal API token is great if you want to quickly script something for yourself. It is not meant to be used in large-scale integrations. Here, Atlassian thinking seems to be that you'd write an app for that and use OAuth. 

However, not everyone wants to manage tons of functional users or write dedicated apps just so that tiny integration can use the API. That's why we created  API Key Manager (also available for Confluence) to let users create and manage API keys with much tighter restrictions and even expiry dates. 

Getting back to @Raunak 's original question, yes you can restrict an API key created with API Key Manager to just be able to read issues from one project.

Best regards,
 Oliver

It seems your app doesn't let you limit APIs to projects.  Only API endpoints correct?  I installed a trial but couldn't find a way to limit our API keys in that way.

Hi @Sean Young ,

That's right, the app lets you limit the key by API endpoints (and http verb). In many cases that fits nicely with allowing calls per project, for example with something like this:

/rest/api/3/issue/DEMO
/rest/api/3/project/DEMO/

But wherever the project is not part of the endpoint URL, this approach does not fit that well. 

Hope that explains it a bit better, but be sure to let me know what exactly you were trying to achieve, maybe there's something we can do to help.

Best regards,
 Oliver

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

This is definitely a HUGE security concern. 
There is no reason you shouldn't be able to limit what API tokens have permission to. 

If an application becomes compromised and leaks the API Tokens, having full permissions to the Atlassian portal is a big risk.