Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
User Guide
User Token Management for Server and Data Center
Users can manage their tokens by clicking on the profile icon and selecting the API Token Authentication Link
Jira Server or Data Center
Confluence Server or Data Center
Creating a new token
Creating a new token with the corresponding button in the "My API Tokens" tab
- Enter a description for the token
- Select the expiration time within the boundaries defined by your administrator
- Choose whether the token should have Read Only or Read & Write scope *
* Read more about scopes in the infobox at the end of this section
If your administrator has not enabled the Users may only create "Read Only tokens" setting,
you will see additional info stating that the token will only have a read-only scope,
so that you may only use it for REST requests of type GET:
Click on the Create API Token button to retrieve your token along with a summary of preferences:
You may now access the REST API via Basic Authorization, using your username and the token, instead of your user password (if you have any).
Please be aware of possible token scope restrictions as defined by your administrator (see the next paragraph for details).
Token Scopes
There are currently two token scopes available.
Read Only
Only the GET, HEAD and OPTIONS HTTP request types are allowed, using a token on endpoints requiring any other type will result in a 403 Forbidden error.
There are two exceptions/ endpoints not affected by that:
- the Jira Session endpoint to which you can POST your username and token to retrieve a session cookie
- the API Token Authentication endpoint to which a user can POST details to create a token if permitted to
Read & Write
All HTTP request types are allowed to be used.
Every type other than GET, HEAD and OPTIONS suggests that it is a write operation somehow, manipulating existing data in some form.
Rate Limiting
If your administrator has enabled rate-limiting for requests that were authenticated with an API token it will be automatically applied to your token.
Like in the picture below you'll see
- for how long the rate limit is valid until it gets reset again
- how many requests you can make within that period
Example:
- at some point, you make your first request with the token
- from that moment on you are allowed to make 5 requests for the next 5 minutes
- details about the current rate limit status for your token are contained in the response headers:
if you exceed the amount in ATA-RL-REMAINING, you'll receive error 429 (Too many requests) and some more information as JSON in the response itself
{ "remainingMillisecondsUntilRateLimitReset": 283893, "requestBucketSize": 5, "currentRequestBucketSize": 0, "rateLimitMessage": "You've exceeded the rate limit for your token" }XML- the field remainingMillisecondsUntilRateLimitReset provides the amount of time in milliseconds until the request-bucket is filled again and you can execute more requests
A rate limit is always assigned to an individual API token and can't be changed once that has been created.
Should your administrator have raised the limit in the meantime, you need to create a new token or request one from a person who creates it for you (in case you don't have permission to do that yourself).
Revoking tokens
To revoke any token, simply use the Delete operation in the Actions column.
A confirmation modal window will ask for confirmation again, displaying all the token details for your convenience.
Token Manager
Creating a token for other users
If your administrator has granted permissions to create tokens for other users, you'll see another tab called "Token Manager".
It also allows you to filter tokens of all users and create tokens for any of them
To create a token for somebody else, press the New API Token button again and select a user to create a token for.
Provide a description and select an expiration time. The minimum value here is what your administrator has defined.
You might choose a lower value, but you can't select anything above, if applicable at all.
You may also provide a token scope (Read Only or Read & Write) as described earlier.
Not selecting any scope will create a Read & Write token
Rate Limiting
If the administrator has enabled rate-limiting for requests with API tokens it will also be applied to tokens created for another user.
You can not select or enter values greater than these but you could use smaller values.
For the example in the picture below it could be any lifetime smaller than 4 hours and a smaller amount of requests in the bucket.
Revoking tokens of other users
If you have permission to access the Token Manage tab, you can revoke/ delete tokens in the same way you would your own tokens.
Just use the delete icon/ link in the Action column.
Filter Tokens
The token manager tab also provides filter capabilities.
Select one or more users for whom you want to see their tokens, enter a string from the token description to search for (search is case insensitive)
or filter for created-, last used- or expiration date.
The date filters provide presets to choose from but you can also define a custom range for each
