Jira API Key: How to Get It and Use It (API Token Guide for Developers)
April 23, 2026
What is a Jira API key?
A Jira API key (called an API token in Jira Cloud) is a credential used to authenticate requests to the Jira REST API. It replaces a user's password in Basic Authentication and allows scripts or backend integrations to access Jira data based on that user's permissions.
Jira does not expose a traditional 'API key' for product APIs. In practice:
- Jira Cloud → API tokens (used with email + token)
- Jira Data Center / Server → Personal Access Tokens (PATs)
- Multi-tenant apps → OAuth 2.0 (3-legged flow)
Why Jira API keys matter for integrations
Before you can read issues, sync comments, or build any workflow, you have to authenticate correctly.
- Credentials are tied to users, not apps
- Behavior differs across Cloud vs Data Center
- Permissions are enforced at the project and issue level
- OAuth requires an extra cloudId resolution step
If auth fails, your integration never reaches business logic.
How to get a Jira API key (API token)
Quick steps
- Go to: https://id.atlassian.com/manage-profile/security/api-tokens
- Click Create API token
- Name the token (e.g.
jira-integration-prod) - Copy it immediately (you won't see it again)
- Use it with your email in API requests
- Store it in a secure secrets manager
Example: using your Jira API key
curl example
curl -u "you@example.com:your_api_token" \
-X GET \
-H "Content-Type: application/json" \
"https://your-domain.atlassian.net/rest/api/3/issue/PROJ-123"
This sends:
Authorization: Basic base64(email:token)
Python example
import requests
from requests.auth import HTTPBasicAuth
response = requests.get(
"https://your-domain.atlassian.net/rest/api/3/issue/PROJ-123",
auth=HTTPBasicAuth("you@example.com", "your_api_token")
)
print(response.json())
What is a Jira API key (detailed)
Jira uses different credential types depending on deployment:
- API token (Cloud)
- Created from an Atlassian user account
- Used with Basic Auth (
email:token) - Inherits that user's permissions
- Personal Access Token (Data Center / Server)
- Used as a Bearer token
- Scoped to that Jira instance
- OAuth 2.0 (Cloud)
- Used for multi-tenant SaaS integrations
- Supports scopes and token refresh
Important: Jira credentials are user-linked, not app-level. Your integration acts as a user or service account.
How Jira authentication actually works
API token (Basic Auth)
- Combine:
email:api_token - Base64 encode
- Send in every request header
No session, no login flow.
OAuth 2.0 (3-legged flow)
Used when customers connect their own Jira instances.
Flow:
- Redirect user to Atlassian authorization page
- User consents
- Receive authorization code
- Exchange for access token
- Call accessible-resources endpoint
- Extract
cloudId - Call API via:
https://api.atlassian.com/ex/jira/{cloudId}/rest/api/3/...
Critical detail:
You cannot use the token until you resolve the cloudId.
Personal Access Tokens (Data Center)
Authorization: Bearer <token>
Used for self-hosted Jira instances.
Jira authentication methods compared
| Method | When to use | Multi-tenant | Rotation | Scope control |
|---|---|---|---|---|
| API token | Internal scripts, single-tenant | No | Manual | User-based |
| OAuth 2.0 | SaaS integrations | Yes | Automatic (refresh tokens) | Scoped |
| PAT (Data Center) | Self-hosted Jira | No | Manual | User-based |
Common Jira API key use cases
API tokens are best suited for:
- Internal scripts
- Reporting, data sync, automation jobs
- CI/CD pipelines
- Update issues on deploy
- Post release notes
- Backend integrations
- Dashboards, bots, internal tools
- Admin / migration scripts
- Bulk issue creation
- Project configuration
These are typically single-tenant, backend-controlled environments.
When to use API tokens vs OAuth
Use API tokens when:
- One Jira site
- Internal usage
- Backend-only
- You control credentials
Use OAuth 2.0 when:
- Multi-tenant SaaS
- Customers connect their own Jira
- You need revocation and auditability
- Security requirements are stricter
Simple rule
| Scenario | Best option |
|---|---|
| Internal automation | API token |
| Single customer backend | API token |
| SaaS product | OAuth |
| Enterprise integrations | OAuth |
How Jira authentication differs from other APIs
Jira behaves differently from most APIs:
- User-based permissions
- Tokens inherit user access, not app scopes
- Multiple auth models
- API tokens, OAuth, PATs
- Cloud vs Data Center split
- Different flows, URLs, behaviors
- OAuth requires cloudId
- Most APIs don't have this extra step
This makes Jira authentication harder to standardize across integrations.
Jira API key not working: common fixes
401 Unauthorized
- Wrong format (must be email + token)
- Using password instead of token
- Wrong API base URL
403 Forbidden
- Missing permissions
- User cannot access project/issue
Token stopped working
- Expired or revoked
- Recreate token and update secrets
OAuth errors
- Missing
cloudId - Wrong API endpoint
Service account issues
- Using wrong URL (
atlassian.netvsapi.atlassian.com)
Quick checklist
- Correct auth format
- Correct base URL
- Token still valid
- User has permissions
- No org policy blocking access
Jira API rate limits (quick overview)
Jira Cloud enforces:
1. Hourly quota (points-based)
- Requests consume points based on complexity
- Shared across tenants
2. Burst limits (per endpoint)
- GET: ~100 requests/sec
- POST: ~100 requests/sec
3. Per-issue limits
- Write operations capped per issue
Handling 429 errors
- Use exponential backoff
- Respect
Retry-After - Reduce concurrency per endpoint
Security considerations
Never store tokens in:
- Frontend code
- Git repositories
- URLs or query strings
Use:
- Secrets managers (AWS, Vault)
- Environment variables
- Encrypted storage
Token lifecycle
- Rotate every 30–90 days
- Use one token per integration
- Prefer service accounts over personal users
Important limitation
Jira Cloud does not support programmatic token creation or rotation.
Auth bottlenecks in SaaS integrations
As you scale:
- Tokens multiply across customers
- Permissions vary per tenant
- Tokens expire or get revoked
- OAuth adds lifecycle complexity
- cloudId must be tracked per tenant
This turns authentication into an ongoing system, not a one-time setup.
Build once across integrations (Unified context)
When Jira is one of many integrations, auth complexity compounds.
Each integration introduces:
- Different token formats
- Different OAuth flows
- Different permission models
Unified handles this by standardizing authorization across integrations.
Instead of managing:
- Jira tokens
- GitHub tokens
- Linear OAuth flows
You get a single connection model:
- One authorization flow per integration
- One connection ID
- Consistent API access across categories
This removes the need to re-implement auth logic for every integration.
FAQs
What is the difference between Jira API key and API token?
Jira Cloud uses API tokens, not traditional API keys. The terms are often used interchangeably, but API token is the correct term.
Can you use a Jira API key in frontend apps?
No. API tokens are long-lived secrets and must only be used in backend systems.
Does a Jira API token expire?
Yes. Tokens can expire based on Atlassian defaults or organization policies.
Should I use OAuth or API token?
Use API tokens for internal use. Use OAuth for SaaS or multi-tenant integrations.
Jira API authentication: simple mental model
- API token = user-level access
- OAuth = app-level, multi-tenant access
- PAT = self-hosted equivalent
- Jira = permission-driven system
Key takeaways
- 'Jira API key' usually means API token (Cloud)
- API tokens are simple but tied to users and hard to scale
- OAuth is required for multi-tenant SaaS integrations
- Jira authentication differs from most APIs (user-based + cloudId step)
- Most integration failures happen at the auth layer, not the API itself
If you're building multiple integrations, authentication is not just setup—it's infrastructure.