Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,559,589
Community Members
 
Community Events
185
Community Groups

Jira Cloud API Token Permissions (How to limit permissions)

Edited
Raunak
Raunak Oct 17, 2019

Hi Everyone,
We currently use JIRA Cloud  as our ticket management/issue tracking system. We have multiple projects boards setup in our Jira Instance.

We are looking integrate JIRA into our project management tool to pull in tasks from one of our projects in JIRA. 

What is the best way of limiting the API token's access to just one project? 

From my understanding, Jira API Token's are limited to the permissions set on the user profile. For instance, if a user profile is given access to particular project, the API token generated from that account will only be able to access the projects/resources associated to that account. Is this the correct assumption? 

 

Answer
Watch
Like # people like this
4600 views

3 answers

0 votes
Nicolo
Nicolo Mar 03, 2023 • edited

TLDR: there is no way to do this.

This is absolutely nuts and a huge security concern.

Not many non-technical people using Jira may be aware of this, but trust me, this need to be fixed ASAP. I will go for managing a new user route, but I'm questioning the seriousness of Atlassian managing API tokens like this.

View More Comments
Oliver Siebenmarck _Polymetis Apps_
Oliver Siebenmarck _Polymetis Apps_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Mar 03, 2023

Hi @Nicolo 

I'm not an Atlassian, but very interested in the whole API/integration topic. Take the following with a grain of salt and definitely not as an official Atlassian position.

As far as i understand it, Atlassian's position is that users can create personal API tokens, the operative word here being personal – ie a token will also reflect the permissions of the user who created it. Any changes made using that token will therefore also show up as being made by the user. 

Oh, and just because it wasn't mentioned on this thread before: An API token is tied to the user, not the instance. If a user (say a contractor) has access to many instances, their API tokens do too. 

In short, the personal API token is great if you want to quickly script something for yourself. It is not meant to be used in large-scale integrations. Here, Atlassian thinking seems to be that you'd write an app for that and use OAuth

However, not everyone wants to manage tons of functional users or write dedicated apps just so that tiny integration can use the API. That's why we created  API Key Manager (also available for Confluence) to let users create and manage API keys with much tighter restrictions and even expiry dates. 

Getting back to @Raunak 's original question, yes you can restrict an API key created with API Key Manager to just be able to read issues from one project.

Best regards,
 Oliver

Like Gary Spross likes this
Reply
0 votes
Matthew Crocco
Matthew Crocco Jun 24, 2022

Is there a feature request for this that I can follow?

Reply
0 votes
Warren
Warren
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Oct 18, 2019

Hi @Raunak  

I feel as if you've answered your own question :-)

Yes, the token only allows access to whatever that user has access to in Jira, so if you want a token that can only access 1 project, ensure that the user can only access that 1 project.

View More Comments
Raunak
Raunak Nov 17, 2020

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

Like
Steve Revill
Steve Revill Feb 10, 2021 • edited

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

Like # people like this
Capi _resolution_
Capi _resolution_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
Feb 10, 2021

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Like Steve Revill likes this
Steve Revill
Steve Revill Feb 10, 2021 • edited Jun 11, 2021

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

Like Chaim Paperman likes this
Francesco Consiglio
Francesco Consiglio Jun 04, 2021

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

Like Chaim Paperman likes this
Rob Verdon
Rob Verdon Jan 20, 2022

This is definitely a HUGE security concern. 
There is no reason you shouldn't be able to limit what API tokens have permission to. 

If an application becomes compromised and leaks the API Tokens, having full permissions to the Atlassian portal is a big risk. 

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events