Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira Cloud API Token Permissions (How to limit permissions)


Hi Everyone,
We currently use JIRA Cloud  as our ticket management/issue tracking system. We have multiple projects boards setup in our Jira Instance.

We are looking integrate JIRA into our project management tool to pull in tasks from one of our projects in JIRA. 

What is the best way of limiting the API token's access to just one project? 

From my understanding, Jira API Token's are limited to the permissions set on the user profile. For instance, if a user profile is given access to particular project, the API token generated from that account will only be able to access the projects/resources associated to that account. Is this the correct assumption? 


1 answer

0 votes
Warren Community Leader Oct 18, 2019

Hi @Raunak 

I feel as if you've answered your own question :-)

Yes, the token only allows access to whatever that user has access to in Jira, so if you want a token that can only access 1 project, ensure that the user can only access that 1 project.

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Like Steve Revill likes this

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

Like Chaim Paperman likes this

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

Like Chaim Paperman likes this

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you