Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Improved API security and expanded authentication policy controls for all cloud customers

April 15, 2025

 

Hi Atlassian Community,

My name is Kunwar, and I am a product manager responsible for cloud security here at Atlassian.

We know that the cybersecurity landscape is constantly evolving, so you need stronger controls to boost your data security approach. That’s why we’re enhancing API security and default authentication policies to provide all Atlassian cloud customers with stronger control and visibility into data access to safeguard their data. Let me walk you through what’s changed and what this means for you.

 

Improved API Security: What’s changing?

When users at your organization access Atlassian product data via APIs, you need control and visibility over the API tokens and SCIM API keys generated to prevent data security risks. We’ve made 5 key enhancements that are available now and have one in EAP.

  • Expiry for API tokens and SCIM API keys: user API tokens and SCIM API keys now have a default one-year expiry from creation to ensure that access privileges are only temporary and must be actively renewed. This will help reduce the likelihood of security incidents resulting from unused or forgotten API tokens and SCIM API keys. Atlassian Guard admins can also set the expiration date for user API tokens in an authentication policy, choosing an expiration between 1 and 365 days. This will apply to members in the policy with API tokens

          API tokens Expire.png

 

  • Adding scopes to API tokens/API Keys: when creating an API token, users can configure which products and related OAuth scopes which the API token can access, along with the level of access, such as specifying read-only access for Jira data. API keys allow admins to act on behalf of their organization to access the admin APIs and consume audit logs, query policies (to ensure compliance), and query users to identify their account IDs. When creating an API key, admins can restrict access to only the necessary permissions. Adding scopes restricts access to only what is necessary, helping to reduce the scale of any potential security incidents.

image (9).png

 

  • Manage orphan API keys (admins only): admins will be notified about keys created by former admins who are no longer part of the organization, enhancing security and transparency at your organization.

         Screenshot 2025-04-01 at 7.39.05 AM.png

 

 

  • Early Access Program: Service accounts: reduce admin overhead with service accounts by eliminating the need to maintain passwords, SSO, or 2FA for accounts that are only created to run scripts and integrations. If you’re interested in participating in the EAP, please email me (ksingh7@atlassian.com) to learn more.

 

Default authentication policy

To further strengthen user access control, we’re extending the following controls in default authentication policies to all cloud customers:

  • Block/allow API tokens - control whether users can create new or use existing API tokens to authenticate to your organization’s product data.

  • Enforcing 2FA - require users to setup and use a second verification step when logging into Atlassian products, or make it optional.

  • Bulk revoke API tokens - bulk revoke API tokens for all users in an authentication policy instead of deleting them one at a time.

       Security repackaging.png

 

These security updates mark another step in providing you with added controls to help you secure your organization’s data in Atlassian cloud. We’re always looking to hear from you, so please share any questions or comments below.

Cheers,

Kunwar

Comment
Watch
Like # people like this
127 views

5 comments

Dirk Ronsmans
Dirk Ronsmans
Community Champion
April 15, 2025

Interesting news @Kunwardeep Singh !

Especially looking forward to "Adding scopes to API tokens/API Keys", I'm assuming that besides selecting a product that this would also imply that we can limit api tokens to a specific instance only? 

Especially for Solution Partners where we have access (and usually substantial access) to many environments it will be great to limit a token to just a single instance/customer environment and minimize the risk that way.

 

Also looking forward to the EAP for Service accounts and what that would entail. At the moment we are forced to create dummy accounts just to setup an api token so I'm hopefull that this will somehow allow us to create api tokens linked to the organization with specific permissions while not directly linked to an account (or atleast not an account that has to be linked to a proper mailbox) 

Like
Christian Schneider
Christian Schneider
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 15, 2025

Working for a psychiatry in Switzerland, we manage lots of different applications, interfacing to each other. Service Accounts are a vitale part of all application and simplify the management. Love to hear that Atlassian will implement server accounts as well! Is there a feature request that I could follow? (I do not have the time to be first mover, but I would like to closely follow the developments.)

Like
s_weber
s_weber
Contributor
April 15, 2025

Awesome, glad to see this coming! When are you aiming for GA?

We already take part in several EAP, so unfortunately we cannot take part.

Like ricardo_silva likes this
ricardo_silva
ricardo_silva
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 15, 2025

Nice:) Do the service accounts need a valid email address?

Like
__ Jimi Wikman
__ Jimi Wikman
Community Champion
April 16, 2025

I love this @Kunwardeep Singh !
The EAP for service account sounds super exciting indeed!

I was wondering, have you considered a rate limiter functionality as in DC for Cloud?

Like

Comment

Log in or Sign up to comment
Kunwardeep Singh

Kunwardeep Singh

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

1 post

View profile
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.