Uploaded image for project: 'Admin Experience'
  1. Admin Experience
  2. AX-686

Allow Admins to generate API tokens for accounts

XMLWordPrintable

    • 6

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      As a partner, I work with a lot of different organizations. This year I've been getting more and more pushback on creating service accounts in the organization's Azure AD/365 tenant because Jira requires an active email account to be able to use the service account to log in and issue it an API token. Adding mailboxes to service accounts both consumes a 365 license and often violates organizational policies for service accounts. This issue is compounded in organizations using Azure sync for user management (SCIM) because we aren't able to create local Jira accounts.

      If we could issue API tokens for service accounts without having to log in as the service account to issue it, that would bypass these organizational issues. Oftentimes it takes weeks to convince the client to create the mail-enabled service account, which has a very negative impact on our projects.

            [AX-686] Allow Admins to generate API tokens for accounts

            Florian Schatz added a comment - - edited

            28b71527d627 the link Atlassian is providing in the admin area leads to a 404: Atlassian Support 

            I found some additional information in the release track: Atlassian Cloud changes Jul 28 to Aug 4, 2025

            Florian Schatz added a comment - - edited 28b71527d627 the link Atlassian is providing in the admin area leads to a 404: Atlassian Support   I found some additional information in the release track: Atlassian Cloud changes Jul 28 to Aug 4, 2025

            Scott Howard added a comment -

            657aba2e5ac6 Do you have a link to the documentation on Service Accounts? This is the first I have heard of them being supported by Atlassian. We use dummy accounts as service accounts which is a bit of a pain.

            Scott Howard added a comment - 657aba2e5ac6 Do you have a link to the documentation on Service Accounts? This is the first I have heard of them being supported by Atlassian. We use dummy accounts as service accounts which is a bit of a pain.

            Florian Schatz added a comment -

            Atlassian just released Service Accounts where you can create API tokens for users without the necessity to login. I think this new future makes this request obsolete.

            Also no issue with impersonation as this is a dedicated set of users.

            Florian Schatz added a comment - Atlassian just released Service Accounts where you can create API tokens for users without the necessity to login. I think this new future makes this request obsolete. Also no issue with impersonation as this is a dedicated set of users.

            Sunny Ape added a comment - - edited

            I have to disagree with this suggestion as it would defeat an intended security mechanism of OAuth.

            Since Jira's licensing currently doesn't distinguish between account types, if Jira or Org admins were able to generate API tokens for accounts without an approval process that contained a human to acknowledge and approve, a rogue admin could generate tokens without a particular user's knowledge or consent, then impersonate them via API requests.

            Making token generation subject to a request, response and approval process is a specific goal of OAuth.

            Sunny Ape added a comment - - edited I have to disagree with this suggestion as it would defeat an intended security mechanism of OAuth. Since Jira's licensing currently doesn't distinguish between account types, if Jira or Org admins were able to generate API tokens for accounts without an approval process that contained a human to acknowledge and approve, a rogue admin could generate tokens without a particular user's knowledge or consent, then impersonate them via API requests. Making token generation subject to a request, response and approval process is a specific goal of OAuth.

              e902c0832f88 Sudesh Peram
              a6e89e8b4389 Megan Hartz
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: