Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Jira Cloud API Token Permissions (How to limit permissions)


Hi Everyone,
We currently use JIRA Cloud  as our ticket management/issue tracking system. We have multiple projects boards setup in our Jira Instance.

We are looking integrate JIRA into our project management tool to pull in tasks from one of our projects in JIRA. 

What is the best way of limiting the API token's access to just one project? 

From my understanding, Jira API Token's are limited to the permissions set on the user profile. For instance, if a user profile is given access to particular project, the API token generated from that account will only be able to access the projects/resources associated to that account. Is this the correct assumption? 


3 answers

TLDR: there is no way to do this.

This is absolutely nuts and a huge security concern.

Not many non-technical people using Jira may be aware of this, but trust me, this need to be fixed ASAP. I will go for managing a new user route, but I'm questioning the seriousness of Atlassian managing API tokens like this.

Oliver Siebenmarck _Polymetis Apps_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Mar 03, 2023

Hi @Nicolo 

I'm not an Atlassian, but very interested in the whole API/integration topic. Take the following with a grain of salt and definitely not as an official Atlassian position.

As far as i understand it, Atlassian's position is that users can create personal API tokens, the operative word here being personal – ie a token will also reflect the permissions of the user who created it. Any changes made using that token will therefore also show up as being made by the user. 

Oh, and just because it wasn't mentioned on this thread before: An API token is tied to the user, not the instance. If a user (say a contractor) has access to many instances, their API tokens do too. 

In short, the personal API token is great if you want to quickly script something for yourself. It is not meant to be used in large-scale integrations. Here, Atlassian thinking seems to be that you'd write an app for that and use OAuth

However, not everyone wants to manage tons of functional users or write dedicated apps just so that tiny integration can use the API. That's why we created  API Key Manager (also available for Confluence) to let users create and manage API keys with much tighter restrictions and even expiry dates. 

Getting back to @Raunak 's original question, yes you can restrict an API key created with API Key Manager to just be able to read issues from one project.

Best regards,

Like Gary Spross likes this

Is there a feature request for this that I can follow?

0 votes
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Oct 18, 2019

Hi @Raunak  

I feel as if you've answered your own question :-)

Yes, the token only allows access to whatever that user has access to in Jira, so if you want a token that can only access 1 project, ensure that the user can only access that 1 project.

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

Like # people like this
Capi _resolution_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
Feb 10, 2021

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Like Steve Revill likes this

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

Like Chaim Paperman likes this

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

Like Chaim Paperman likes this

This is definitely a HUGE security concern. 
There is no reason you shouldn't be able to limit what API tokens have permission to. 

If an application becomes compromised and leaks the API Tokens, having full permissions to the Atlassian portal is a big risk. 

Like # people like this

Suggest an answer

Log in or Sign up to answer