Information about security tokens used for loading external images in email messages sent out by Jira

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.


General Information

Starting with Jira Software 8.15 and Jira Service Management 4.15, email messages being sent out will contain links to external images that have security tokens in them. This allows any recipient of an email message to load images remotely, which will be used by email clients to display images as embedded images in the email content body.

These security tokens have the following features:

  • Tokens are JWT and rely on Personal Access Tokens feature of Jira.
  • Tokens are valid for 7 days by default.
  • A new token will be generated for each user-attachment pair.
  • Tokens allow access to a particular image on behalf of a particular user and do not allow anything else.

Any recipient of an email message will be able to see external images in it until token expiration date, and that includes all future recipients if the message gets forwarded.

Disabling external images loading

To disable this behavior, the following options exist:

  • Disabling Personal Access Tokens system wide will disable all embedded images loading.
  • Disable email images security tokens only (see below)

Disabling security tokens for emails

Where: Administration → System → General Configuration → Advanced Settings

Key: jira.security.image.attachment.jwt.tokens.expiry.hours

Description: Adds a security token to every image attachment displayed in email notifications. This allows users to view images in their notifications within the expiry time, which is 168 hours (7 days) by default. Setting it to 0 disables the tokens, but users won’t see images at all.



Last modified on Nov 16, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.