Using Personal Access Tokens
Personal access tokens (PATs) are a secure way to use scripts and integrate external applications with your Atlassian application. If an external system is compromised, you simply revoke the token instead of changing the password and consequently changing it in all scripts and integrations.
Personal access tokens are a safe alternative to using username and password for authentication with various services.
This page explains how to create personal access tokens in Jira and Confluence.
For information on using personal access tokens in other Atlassian products, see:
Before you begin
You can create and use personal access tokens in Data Center and server editions of the following Atlassian applications:
- Jira Core 8.14 and later
- Jira Software 8.14 and later
- Jira Service Management 4.15 and later
- Confluence 7.9 and later
The admin view of personal access tokens is available in the Data Center version of these applications.
On this page:
Creating PATs in application
- In your Atlassian application go to:
- In Confluence, select your profile picture at top right of the screen, then choose Settings > Personal Access Tokens .
- In Jira, select your profile picture at the top right of the screen, then choose Personal Access Tokens .
- Select Create token.
- Give your new token a name.
Optionally, for security reasons, you can set your token to automatically expire after a set number of days.
The EXPIRES SOON status appears 5 days before the actual expiration date. Once the token expires, you can't reactivate it. You must create a new token.
Click Create.
Your personal access token is created. Copy the token and store it in a safe space.
Creating PATs using REST API
Send a POST HTTP request with the following body:
{
"name": "tokenName",
"expirationDuration": 90
}
Though the expirationDuration
parameter, you can define the number of days for which your token will remain valid.
to the following address:
{{baseUrlOfYourInstance}}/rest/pat/latest/tokens
In response, you'll receive the PAT.
Using PATs
To use a personal access token for authentication, you have to pass it as a bearer token in the Authorization header of a REST API call.
Here's an example using cURL to call the REST API with a bearer token:
curl -H "Authorization: Bearer <yourToken>" https://{confluenceBaseUrl}/rest/api/content
Revoking PATs
If for any reason, for instance, security breach, you need to revoke your token, you can do it quickly from your Atlassian application:
- In your Atlassian application go to:
- In Jira select your profile picture at the top right of the screen, then choose Personal Access Tokens .
- In Confluence, select your profile picture at top right of the screen, then choose Settings > Personal access tokens.
- Select Revoke next to the token you want to delete.
- Confirm your choice.
Your token is now revoked and can't be used for further authentication.
Limit token creation
Administrators can use system properties to limit the number of tokens people can create, and set expiry rules.
To find out how to apply system properties in your application:
- For Jira, see Setting properties and options on startup
- For Confluence, see Configuring System Properties
Administer personal access tokens
This feature is available with a Data Center license.
In Data Center applications, administrators can see a list of all tokens created in the site, and revoke any of these tokens.
To administer personal access tokens:
- In your Atlassian application go to:
- In Jira, select > System > Administering personal access tokens.
- In Confluence, select . > Security > Administering personal access tokens
In this view, you can filter your tokens by the author, creation and expiration date, and the last time the token was used for authentication. Admins can revoke individual tokens and delete multiple tokens at once. To bulk revoke, select tokens you want to revoke, and click Bulk revoke.