API support for Tokens

Raj1 · August 31, 2023, 2:34pm

Hello,

Do we have API support for fetching active tokens in JIra Cloud site? please do share.

thanks.

GrahamTwine1 · September 1, 2023, 2:50pm

Hello @Raj1,

Can you see the security flaw in doing that?

ibuchanan · September 1, 2023, 5:25pm

@GrahamTwine1,

I had a different interpretation of the ask. My interpretation might be phrased as, “I want to know who has API tokens that are used on my site.” I don’t think that ask would be a security vulnerability (on the contrary, a useful way to know one kind of threat vector).

However, to my knowledge, my interpretation is neither possible through the UI nor the API. It would be quite difficult since the API Tokens are not created “per site” but “per user”. User identities for Atlassian are in a cross-site platform; hence, not site-specific. For example, I have an API Token that I can use to access both Atlassian-owned sites and non-Atlassian-owned sites. I can see all the API Tokens I have (UI but not API), but my Atlassian admin cannot see my tokens.

Raj1 · September 1, 2023, 5:44pm

@ibuchanan Your got me right, we have problem with our users who have created too many automations tools, now we are having a hard time in controlling them.

As an admin, i would like to see, how many tokens are created against the site? Who has created it? How much of data is processed against the tokens?

Well, @GrahamTwine1 i don’t want to see the token itself, but would like to manage them?

Right now, its a chaos…Is there someway i can control it? Please advice.

GrahamTwine1 · September 1, 2023, 8:08pm

Human understanding

While reading what @ibuchanan was writing it made so much more sense and I felt a little foolish

Alas there is no way to see access or application logs. There is an outstanding request for this JRACLOUD-46206

May be worth exploring the audit logs to see what people are up to.
I do not think the API token is useful for this but the account ID or email address may be worth exploring.

i.e. Create a report / alert for how often someone does something and take action such as advise then warn then block persistent offenders.

ibuchanan · September 2, 2023, 12:02pm

@GrahamTwine1, Thanks for sharing the outstanding request.

@Raj1, I’ll add there is some movement toward your problem in the Cloud roadmap:

In the meantime, maybe you could convince some users to go with OAuth 2 so that you can get a bit more visibility and control: