Atlassian API token/key | Status of API tokens/keys when a user who generated the token/key has left the organization
Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.
Summary
The ability to generate an API token/key is one of the utilities that Atlassian offers for securely providing authentication and authorization for a particular resource. This article addresses the question of whether the token/key would be active even when the user who generated the token/key has left the organization.
Environment
Jira cloud
Solution
It's important to understand whether the API key has been generated from the admin portal or has generated the API token on the Atlassian user portal.
API Key:
- If any admin leaves the organisation, the API key they generated for the org would remain active in the org as stated in the following documentation: Manage an organization with admin APIs.
API keys are associated with the organization and not individual admins. When an admin generates an API key, they exclusively hold the privilege to access the confidential API key value, irrespective of other admins within the organization.
It is highly recommended to revoke any prior API keys that were accessible to former admins.
API token:
- However, if an API token has been generated from user portal, the token access is revoked once the user account has been deleted from the site. In such scenarios, it is recommended to cross-check if the respective API tokens from a user (to be deleted) are used in any automation rules containing "Send web request" actions or external scripts. This is to ensure there is no disruption in service due to authentication problems as the token passed would be invalidated.