Atlassian API token/key | Status of API tokens/keys when a user who generated the token/key has left the organization

Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

Summary

The ability to generate an API token/key is one of the utilities that Atlassian offers for securely providing authentication and authorization for a particular resource. This article addresses the question of whether the token/key would be active even when the user who generated the token/key has left the organization.

Environment

Jira cloud

Solution

It's important to understand whether the API key has been generated from the admin portal or has generated the API token on the Atlassian user portal.

API Key:

  • If any admin leaves the organisation, the API key they generated for the org would remain active in the org as stated in the following documentation: Manage an organization with admin APIs.
    API keys are associated with the organization and not individual admins. When an admin generates an API key, they exclusively hold the privilege to access the confidential API key value, irrespective of other admins within the organization.
    It is highly recommended to revoke any prior API keys that were accessible to former admins.

API token:

  • However, if an API token has been generated from user portal, the token access is revoked once the user account has been deleted from the site. In such scenarios, it is recommended to cross-check if the respective API tokens from a user (to be deleted) are used in any automation rules containing "Send web request" actions or external scripts. This is to ensure there is no disruption in service due to authentication problems as the token passed would be invalidated. 


Last modified on Jul 19, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.