Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User API Token Best Practices

Shawn Stevens
Shawn Stevens
Contributor
August 22, 2025

We are currently on Atlassian Cloud Enterprise and our main Authentication policy has enabled the ability for Users to create API tokens. When Atlassian introduced the 1 year expiration change, I started to look at all the tokens we had. With the intention on trying to clean and manage the Tokens a little better than what was previously being done. 

I'm curious how others are handling user API tokens. 

I have created a new authentication policy and have started to move users (mainly our service accounts that I have control over) to a new authentication policy. With the intention of turn off the ability to create User Api tokens in the main Authentication Policy. Preventing anyone from created API tokens, that are not in the new Authentication policy.

I like the introduction of the scopes on API tokens, which feels like it give Admins a little more control from a permission perspective. 

Do you allow User API tokens? 
How do manage and keep track of what these users are doing with the API Tokens? 

Thanks, 

Shawn Stevens

Answer
Watch
Like Be the first to like this
153 views

1 answer

1 accepted

0 votes
Answer accepted
Benjamin
Benjamin
Community Champion
August 22, 2025

HI @Shawn Stevens ,

 

Most of the time I would allow User API tokens. This frees up the admins and allow the end user to run scripts and integrate what they need to do their work. User API still follows the user permission scheme, so they wouldn't access something they wouldn't normally would in the UI. Overall, I haven't run into any issues. It will boil down to organization business and policies what would fit best to meet those needs.

View More Comments
Shawn Stevens
Shawn Stevens
Contributor
August 23, 2025

@Benjamin I have inherited the Administration and with Atlassian introducing the expiration I figured it was a good time to do some clean up. We have about 1200 users and we were up to about 82 API tokens with some not being used for 5-7 years. I have reduced those to around 40. We have so many tokens that I don't really know what they are being used for. To your point, maybe I shouldn't worry about it as much, but my goal was to get a little control of the tokens and then restrict them a bit. I do think it will create some work for me if we get requests for User API tokens.

I really appreciate the feedback and you taking the time to answer my question. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
ENTERPRISE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security