Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

restrict access to A4J secret keys

reza rouhafza
reza rouhafza June 1, 2025

I found out that secret keys stored in A4J are usable by anyone who has access to A4J on my Jira instance (i.e., project admins). For example, if I create a secret key for my Jira personal access token, then every project admin can use my PAT to send a request to Jira with my account identity and access. 

HOW is that a secret? :/

Is there a way to prevent this so that everyone can only access the secret keys that they have defined?

Answer
Watch
Like Be the first to like this
67 views

2 answers

1 vote
Bill Sheboy
Bill Sheboy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 1, 2025

Hi @reza rouhafza 

You are correct: they are not.

In both Cloud and Server / Data Center automation, there is no actual "secret storage" for use in rules yet.  Even though Cloud has a "hide" feature to conceal things like headers in the Send Web Request action, anyone who can export rules can see them in the JSON.

There are several open suggestions to improve this, such as these:

https://jira.atlassian.com/browse/AUTO-1365
https://jira.atlassian.com/browse/JIRAAUTOSERVER-107

 

Kind regards,
Bill

View More Comments
reza rouhafza
reza rouhafza June 2, 2025

Thanks a lot @Bill Sheboy 

I read the suggestions you mentioned, but I think they are not about this problem.

For now, I found a very bad workaround :) Since my automation triggers were asset-related and not issue-related, I set the PAT secret scope (and my rules) to a certain project that only I have automation access to. As a result, other project admins don't see my secret, BUT Jira admin can. That's a little more secure, I think :)

Like Bill Sheboy likes this
Reply
0 votes
Aaron Williams
Aaron Williams
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 1, 2025

Hey @reza rouhafza 

Is this when you are using the incoming webhook action? 

View More Comments
reza rouhafza
reza rouhafza June 2, 2025

Hi @Aaron Williams 

No. It is mostly about sending an "HTTP request" action. I'm concerned that if I define my PAT as a secret in A4J, someone else (i.e., other project admins) may use it to send their request with my PAT. It may cause some serious security issues.

It should be a restriction feature to prevent users from using other PATs that are not defined by them.

 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.