Removing rate limits for Atlassian cloud products integrated with Jira

Still need help?

The Atlassian Community is here for you.

Ask the community

Because of a known issue, Jira Data Center 8.6.0 and 8.6.1 apply rate limiting to integrations with Atlassian cloud products. Until we release an official fix, you can use this workaround to allowlist your product’s OAuth consumer key, and remove any rate limits for it.

Before you begin

You can retrieve your product’s OAuth consumer key from the Jira log file. To get it written there, a request coming from your product will need to be limited. The quickest way to do this is to set rate limiting to Block all requests and wait for a request being limited. You can also block requests for one user and then use it to make an incoming request.

Allowlisting OAuth consumer keys

Find the consumer key

  1. Set the logging level for com.atlassian.ratelimiting.internal to TRACE. For more info, see Logging and profiling.

  2. Send a request from the integrated application so it gets limited.

  3. Open the Jira log file, and search for DefaultRateLimitUIRequestHandler.

  4. You’re interested in the Authorization header, which looks similar to this example:

    "Authorization: OAuth oauth_token=\"\", oauth_consumer_key=\"FishEye%3A9639366062\", oauth_signature_method=\"RSA-SHA1\", oauth_timestamp=\"1574434622\", oauth_nonce=\"6073902753180203\", oauth_version=\"1.0\", oauth_signature=\"o1QQ%2FIx2Ople7wGtQVSlqVrfKkoJiQ%2FmgH2JvUvTvqR6kivgf7RtBGZDaFS1b6eHrrFHGyOCuAxOLhaa2PZriiI%2BTIDCbg%2FHUH6aaYg5CJ0D%2F%2BPS7iHAWG4lc35TBK4IDE07HZtoVpCM3kYId1HPhdVAmY8NiKqQfavDM5ktixo%3D\""

The consumer key is printed in oauth_consumer_key, and it should have the following pattern: <application>:<key>.

In this example, %3A is an encoding difference from the log file. The proper consumer key is FishEye:9639366062.

Allowlist the consumer key

  1. Go to Administration > System > General configuration > Advanced settings.

  2. Add the consumer key to the com.atlassian.ratelimiting-whitelisted-oauth-consumers option. If you have multiple consumer keys, add them as a comma-separated list, and watch out for overwriting your previous keys.

It takes up to 1 minute to apply the new settings. Once that’s done, the traffic coming from/to the integrated application will no longer be limited.

Last modified on Jan 14, 2020

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.