Removing rate limits for Atlassian cloud products integrated with Jira
Because of a known issue, Jira Data Center 8.6.0 and 8.6.1 apply rate limiting to integrations with Atlassian cloud products. Until we release an official fix, you can use this workaround to allowlist your product’s OAuth consumer key, and remove any rate limits for it.
Before you begin
You can retrieve your product’s OAuth consumer key from the Jira log file. To get it written there, a request coming from your product will need to be limited. The quickest way to do this is to set rate limiting to Block all requests and wait for a request being limited. You can also block requests for one user and then use it to make an incoming request.
Allowlisting OAuth consumer keys
Find the consumer key
Set the logging level for
com.atlassian.ratelimiting.internalto TRACE. For more info, see Logging and profiling.
Send a request from the integrated application so it gets limited.
Open the Jira log file, and search for
You’re interested in the
Authorizationheader, which looks similar to this example:
"Authorization: OAuth oauth_token=\"\", oauth_consumer_key=\"FishEye%3A9639366062\", oauth_signature_method=\"RSA-SHA1\", oauth_timestamp=\"1574434622\", oauth_nonce=\"6073902753180203\", oauth_version=\"1.0\", oauth_signature=\"o1QQ%2FIx2Ople7wGtQVSlqVrfKkoJiQ%2FmgH2JvUvTvqR6kivgf7RtBGZDaFS1b6eHrrFHGyOCuAxOLhaa2PZriiI%2BTIDCbg%2FHUH6aaYg5CJ0D%2F%2BPS7iHAWG4lc35TBK4IDE07HZtoVpCM3kYId1HPhdVAmY8NiKqQfavDM5ktixo%3D\""
The consumer key is printed in
oauth_consumer_key, and it should have the following pattern:
In this example,
%3A is an encoding difference from the log file. The proper consumer key is
Allowlist the consumer key
Go to Administration > System > General configuration > Advanced settings.
Add the consumer key to the com.atlassian.ratelimiting-whitelisted-oauth-consumers option. If you have multiple consumer keys, add them as a comma-separated list, and watch out for overwriting your previous keys.
It takes up to 1 minute to apply the new settings. Once that’s done, the traffic coming from/to the integrated application will no longer be limited.