Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

API token scopes required for reading user details from Jira REST API

Joe Johnson
Joe Johnson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2025

Hello all,

I have an automation which sends the web request

/rest/api/2/user/search?query={{issue.customfield_12345.urlEncode}}

where {{issue.customfield.12345.urlEncode}} is an email address field. This works perfectly fine when using a testing account with a full access API token and returns results exactly as intended. I want to use a Atlassian Service account where API keys must be created with scopes, however I cannot get this API call to work when using an Atlassian Service account with the scopes listed in the Atlassian REST API documentation:

https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-user-search/#api-rest-api-2-user-search-get 

Permissions required: Browse users and groups global permission

Anonymous calls or calls by users without the required permission return empty search results.

Scopes

OAuth 2.0 scopes required:

Classic RECOMMENDED:read:jira-user

Granular: read:user:jiraread:user.property:jiraread:application-role:jiraread:avatar:jiraread:group:jira

I have confirmed that:

  • The service account has access to the Jira application
  • It is in a group which has the Browse users and groups global permission
  • It has all the above listed scopes in the API key
  • The call appears to be authenticating correctly (the key updates the 'last used' whenever I run the automation
  • I get a 200 status back from the API call

Unfortunately it simply doesn't return any results, which suggests that the permissions are somehow not correct. 

If I change the only the Authorization header to use the known working test account API key, it works fine and returns results, but when I change it to the Service account key, it fails. I've even tried other permutations of scopes and app access but nothing appears to work.

Any ideas greatly appreciated!

Answer
Watch
Like Venecia Bachee likes this
198 views

1 answer

0 votes
Marc - Devoteam
Marc - Devoteam
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2025

Hi @Joe Johnson 

When using an scoped APi token, you can call the app API directly.

You need to call the Atlassian API to use API tokens with scopes for Jira {{https://api.atlassian.com/ex/jira/{cloudId}}

See the documentation.What-are-scopes-for-API-tokens , in the section "Create an API token with scopes"

View More Comments
Joe Johnson
Joe Johnson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2025

Ha! Thank you!

I actually came back here to say that I'm one step further; I found the docs above earlier and have changed the URL including the orgID etc, but now I get a 404 for that URL. I wondered if it was authentication related and I'm not sending the credentials in the correct way, but I would have expected a 403 in this case?

With PAT and Basic auth in the standard API calls, you need to encode the credentials:

 service.account@domain.com:ATT123etc

as base64 and then pass them in the auth header as

Basic aBc123

How do you pass Bearer tokens? Do you need to encode as Base64 or just like

Bearer ATT123etc

The docs don't really make it clear.

Thanks again! 

Like
Marc - Devoteam
Marc - Devoteam
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2025

Hi @Joe Johnson 

I think it's Bearer <PAT>

Like Joe Johnson likes this
Joe Johnson
Joe Johnson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 15, 2025

Thanks. I've tried every variation I can think of but I'm still getting a 404 which is very strange, and I've checked the CloudID which is also definitely correct.

 

Mystifying!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Automation
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security