Currently, the RPC/SOAP interface allows a user to remotely login and returns a token upon successful authentication. This token is issued by the TokenManager plugin module. Unfortunately, this token is only useful for accessing the RPC/SOAP interface. It would be useful to also use this token to log into Jira's web interface. I have written a LoginFilter that does this. Unfortuately, because the Authenticator.Login() method requires a username/password to login, it prevents me from using the following code since I don't have a password any longer, only a username: securityConfig.getAuthenticator().login(request, response, user.getName(), "password", persistentLogin); Ideally, the TokenManager would depend on the Authenticator to issue the token (TokenManager would no longer be needed then). Then, the LoginFilter could login the user with a method similar to: securityConfig.getAuthenticator().tokenLogin(request, response, token, persistentLogin); Because this capability isn't available, I had to write code like the following in my LoginFilter: TokenManager tokenManager = this.getTokenManager(); if(null != tokenManager) { user = tokenManager.retrieveUser(token); if(null != user) { request.getSession().setAttribute(com.atlassian.seraph.auth.DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(com.atlassian.seraph.auth.DefaultAuthenticator.LOGGED_OUT_KEY, null); } } This is a hack since it depends on Jira using the default authenticator as well as requiring knowledge of the internal workings of the class.