Community Announcements have moved! To stay up to date, please join the new Community Announcements group today. Learn more

×
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Token With Scopes

aadish
aadish
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 21, 2025

As Api token without scopes are deprecating I created a jira token with scopes using following scopes:
read:issue:jira
read:issue-details:jira
read:project:jira
read:user:jira
read:permission:jira

curl --location 'https://***********/rest/api/3/issue/PPT-28' \
--header 'Accept: application/json' \
--header 'Authorization: Basic *********** \
--header 'Cookie: atlassian.xsrf.token=a87d095344e85388d88b42f511242659303971a4_lout'

I am getting the below error 

{
"errorMessages": [
"Issue does not exist or you do not have permission to see it."
],
"errors": {}
}

Need help over this
Answer
Watch
Like Be the first to like this
1702 views

3 answers

1 vote
Oliver_Taylor
Oliver_Taylor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 31, 2025

I just figured this out so posting in case it helps others. I was getting all the below errors when trying to figure out how to use scoped personal access tokens (PAT) with the Jira API. 

"Issue does not exist or you do not have permission to see it."
"Unauthorized; scope does not match"
"Failed to parse Connect Session Auth Token"

I finally found the solution that allowed me to use scoped personal access tokens (you do not need OAUTH)

  1. Use the cloud API URL as the base URL for the API calls (mentioned here https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) . The URL is of format https://api.atlassian.com/ex/jira/{cloudId}, cloudId can be found by going to https://your_domain.atlassian.net/_edge/tenant_info
  2. Use basic authentication in the header, with the format being 'email:token' base64 encoded:
    -H 'Authorization: Basic <base64encode(email:token)>
  3. Select the scopes carefully for what you need, the scopes needed for each API call are listed on the API documentation https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#about

The above then allowed me to query the API with my scoped token

View More Comments
송아영 _ahsong_
aw
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 19, 2025

This answer has been really helpful to me. Thank you so much for sharing your experience. :)

Like
Reply
1 vote
Jorge Belenguer
Jorge Belenguer
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 22, 2025

Documentation is a bit confusing, so I'm not going to pretend I'm sure about this, but...

I believe to use scoped tokens you cannot use basic authentication, but OAuth 2.0 instead (Jira scopes for OAuth 2.0 (3LO) and Forge apps).

Worth adding that if that assumption is correct, you will also need to go through the https://api.atlassian.com/ex/jira/<cloudId> endpoint instead of https://your-domain.atlassian.net

https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#other-integrations

 

View More Comments
Annius Groenink
Annius Groenink
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 14, 2025

It appears that yes, when using a scoped token you need to go through /ex/jira/<cloud-id>/ but no, OAuth is not required, you can use the scoped token directly with basic authentication...

 

for now :-)

Like NAKASHOJI Kento likes this
Reply
0 votes
Rene C_ _Atlassian Support_
Rene C_ _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 23, 2025

Hi, @aadish ! I recently received a support request from another customer with a similar problem. I believe this is related to what @Jorge Belenguer mentioned about scopes generally being meant for OAuth 2. but now that the API Tokens page implemented scopes for API tokens and is also indicating that un-scoped API tokens will be deprecated, it is not clear if this is meant to deprecate Basic auth as well, or if the scoped API tokens are meant to be used with Basic auth like un-scoped ones and are simply not working as expected, like in your case.

To ensure we track this, as well as to clarify the scenario, I raised a bug report for this at: JRACLOUD-94545 - Sending web requests with API tokens with a scope result in permission issues

It is worth mentioning some endpoints work as expected even when scoped and using basic auth, so I'm leaning toward a bug in the way scopes are validated with basic auth. In any case, I suggest using un-scoped tokens for now, relying on the project permissions to limit what the credentials can used, and add yourself as a watcher in the bug report to be notified of updates about this topic 

View More Comments
Rene C_ _Atlassian Support_
Rene C_ _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 14, 2025

Following up on this, I can confirm that when using scoped API Tokens, you can still use Basic authentication, but it has to use a different URL format. This difference in URL is now reflected in the documentation page Manage API tokens for your Atlassian account:

How to use an API token
A primary use case for API tokens is to allow scripts to access REST APIs for Atlassian cloud apps using HTTP basic authentication.

Depending on the details of the HTTP library you use, you can replace your password with the token. For example, when using curl, you could do something like this:

## URL for API Tokens
curl -v https://mysite.atlassian.net --user me@example.com:my-api-token

## URLs for API tokens with scopes for Jira and Confluence
curl -v https://api.atlassian.com/ex/jira/{cloudId} --user me@example.com:my-api-token
curl -v https://api.atlassian.com/ex/confluence/{cloudId} --user me@example.com:my-api-token

This was clarified shortly after I created the bug report (now a feature request, since this behavior is expected). More information can be found at JRACLOUD-94545 - Add support for atlassian.net when sending web requests with scoped API tokens to avoid permission errors 

 

Like Annius Groenink likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security