Summary

Whenever MCP Server is used with local AI clients (e.g., Cursor, VS Code with MCP extensions) the audit log entries show the originating IP address as 127.0.0.1 or localhost., impacting how we trace who is accessing Atlassian resources via MCP, as the actual client IP address is not captured in the audit log.

This brings concerns like the following:

• Security & forensics gap: Without the originating IP address, security teams cannot perform forensic investigation or incident response when a suspicious MCP tool call is detected.
• Compliance blocker: Regulated industries (finance, government, healthcare) require complete audit trails including source IP.
• Explicit parity gap: API token access correctly captures the originating IP address.

Suggestion

MCP Server audit log entries should capture and display the true originating IP address of the MCP client (as resolved during OAuth authentication or via forwarded headers such as X-Forwarded-For), consistent with how API token access is already logged. This should apply to both: Local clients (Cursor, VS Code) and Remote MCP clients.