[ACCESS-1816] Provide an option to decide if users should have their API tokens revoked when their accounts are deactivated - Create and track feature requests for Atlassian products.

Type: Suggestion
Resolution: Unresolved
Component/s: Admin API tokens/keys
Labels:
- guard-s7

Support reference count:
2
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

At this moment, if a user has API tokens created, those tokens are not automatically revoked when their Atlassian Account is deactivated.

The tokens will stop working with an "Unauthorized (401)" error, and in Atlassian backend logs the following errors will be registered:

message: authoriseForLogin denied, user <USER_ID> is inactive
message: The user '<USER_ID>' is NOT AUTHORIZED to perform this request

While keeping the tokens associated with the Atlassian Account is an expected behavior that doesn't cause any issues since the user and the tokens are completely blocked from accessing or making API requests to Atlassian, some Org administrators can be concerned about their existence.

Others, might have some very strict security policies that require those tokens to be excluded.

Suggestion:

Please implement a mechanism where the Org Administrator can decide if the tokens should be automatically revoked when an Atlassian Account is deactivated.

Perhaps, this feature could be included in the User API tokens screen.

Workaround:

It's possible to revoke the tokens using two approaches, which are both mentioned in the following documentation page:

Revoke user API tokens

Assignee:: Unassigned

Reporter:: Renan Andrade

Votes:: 3 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 30/Apr/2024 11:19 AM

Updated:: 30/Jan/2025 4:00 AM

Details

Description

Attachments

Forms

Activity

People

Dates