Hi,
I have a strange issue. I have two apps set up, one for production, one for staging (OAuth 2.0 integrations). They are both set up with the same credentials and settings.
My app needs access to: View Jira issue data and View user profiles
For the staging application, I am able to get the access token, send the credentials as a bearer token, and successfully call:
https://api.atlassian.com/oauth/token/accessible-resources
It returns the information with the instance url.
When I view the JWT, it has the correct client id for the staging application.
It also has the scopes: read:jira-work read:jira-user offline_access
When I try to use the same JWT as a bearer to get any other information, I get a 401 error (searching tickets, get users, get fields etc).
On production, the exact same code works as expected (against the production app).
I’m at a loss 
@alonsabi welcome to the Atlassian developer community.
Am I correct that you are using the same Jira Cloud site for both staging and production? If so, I believe this is the problem:
They are both set up with the same credentials and settings.
Specifically, each time you authorize the app, the prior authorization is revoked. In other words, OAuth is stateful on Atlassian with the expectation that state is managed through interaction with a single client. Here, sharing the client id and secret across independent, even if identical, clients in staging and production doesn’t fit with those constraints.
The easy thing to do is to create a new Jira Cloud site for staging. However, I would also recommend creating a different OAuth client for staging.
It’s been a while …
I was using a workaround until now but decided to try to fix this properly.
I created a new JIRA account and created a new app in it for staging with the exact same permissions as in production, but I experience the same issue.
I get the prompt to connect the app to my JIRA account, and I accept it.
The app gets the access and refresh tokens, and it is able to call accessible-resources and get a proper response, but when I try to call any other endpoint to get projects/tickets or anything else, it gets a 401 error.
So now I have a staging account with a separate app, but it’s still broken
Looking at the JWT for the access token, everything seems correct, with the proper scopes (read:jira-work read:jira-user offline_access).
The same configuration works for me in the production environment.
@alonsabi,
Welcome back to the mystery. 
Thorough. You could have created a new client id and secret pair with the same account. Practically, this must mean you are also switching Jira users to do staging and production testing. Sorry, I imagine that is a bit tedious in a development loop. And, to confirm, that’s what you mean here: you have a new client id and secret pair? The uniqueness of an access or refresh token is determined by the intersection of user id, site id, and client id.
This is a new bit of information to me. So, to confirm, you can follow the authorization code flow but any access token you receive is effectively unauthorized for the Jira Cloud platform REST APIs? You don’t even get a 200 on the first use of a fresh access token? If so, I cannot reproduce the problem. The problem seems to be unique to your specific client id and would require some back-end analysis. Please open a DEVHELP ticket.
Yep, I am currently using two different separate accounts, with different application ids.
The initial request succeeds (to the accessible-resources endpoint), but anything else fails.
The JWT of the token shows: “scope”: “manage:jira-project read:jira-work read:jira-user offline_access”
I opened a DEVHELP ticket. Thank you.