I’m trying to test some service account usage and I’m constantly running into problems with them - Manage API tokens for service accounts | Atlassian Support . As a simple use case I’m replacing existing user credentials with service account + REST API token + replacing the URL with corresponding https://api.atlassian.com/ex/jira/#{cloud_id}. It works for some things, but not for others. E.g. - I get 401 when requesting https://api.atlassian.com/ex/jira//rest/agile/1.0/board. Now, I’m pretty sure I set the scope for reading the board. Did I misremember? Did I misclick? Did it get lost during form submission or on the backend? It would be nice to see after the fact, but I can’t find a way to see the token’s scope after it has been created. Can anyone direct me to such place? Is it part of the enterprise plan? Some undocumented API endpoint? Or is the board access simply not available to service accounts? As a genera catch-all for troubleshooting I would try a token that has all scopes, but even that is not available, as it is limited to 50, which is not a large part of total scopes available.
Hello @JnisVanags
Ahh, this is why it’s important that, when you create the scopes for the Service Account, you create them in groups with names that help remind you what scopes are inside.
Well, I was going to suggest try using the Get all service account API tokens in an org endpoint, which should return all the scopes for a particular service account, but I just tried it against one of my Service Accounts with OAuth 2.0 credentials and various Granular scopes inside, and it returned…a 200 response, but an empty array. When I asked the API endpoint to tell me how many Credentials were in that Service Account, it returned:
“validServiceAccountIds”: [{“serviceAccountId”: “-REDACTED-”,“credentialsCount”: 0}]
No Credentials???
I’ll have to dig deeper.
Well @JnisVanags I dug deeper and deeper and have some bad news. The documentation for the API Access APIs is very misleading!
The API Token endpoints all say things like “Gets count of API tokens for specified service accounts within an organization” or “Retrieves API tokens for a specific service account within an organization” but it’s not quite true. Those endpoint consider tokens as being the API Token type that contain Classic scopes, and so those endpoints can find and return them, and tell you their details like creation date, expiry date etc, as well as all the scopes inside them.
However, those endpoints do not consider OAuth 2.0 credentials as tokens so you can’t get any information at all about those or any of their inner Granular scopes!
This means, that after the OAuth 2.0 credential + scopes have been created for the Service Account, you cannot retrieve that information from the GUI or any API endpoint ever again! This makes giving the credentials a very, VERY informative name even more important.
I’ve spent some time liaising with ChatGPT validating this. After I got it to correct its own mistakes (sheesh, that’s tiresome), it finally accepted what I found and provided this cheat sheet as to what information you can or can’t get from those API Access endpoints about Service Accounts:
Atlassian Cloud Admin APIs – Service Account Credential Cheat Sheet
| Credential Type | Scope Type | How Created in GUI | Counted by credentialsCount? |
Appears in GET /api-tokens? |
|---|---|---|---|---|
| API Token | Classic | Service Account → Add Credential → API Token → add classic scopes |  Yes |
Yes (full token details: scopes, expiry, etc.) |
| OAuth 2.0 | Classic | Service Account → Add Credential → OAuth 2.0 → add classic scopes |  No |
No |
| OAuth 2.0 | Granular | Service Account → Add Credential → OAuth 2.0 → add granular scopes | No |
No |
Thank you for looking into this. As I’m testing non-oauth tokens, this is useful. I created a new admin token and was able to list that my service account token does indeed have what I think are the needed privileges:
[{“id”:“...”,
“label”:“read boards token”,
“createdAt”:“2025-11-21T10:55:27.701189Z”,
“lastActiveAt”:“2025-11-21T10:57:42.100001Z”,
“expiresAt”:“2026-11-20T15:17:27Z”,
“status”:“ALLOWED”,
“scopes”:[“read:board-scope.admin:jira-software”,“read:board-scope:jira-software”]
However, when I try to access /rest/agile/1.0/board endpoint, it responds with
{“code”:401,“message”:“Unauthorized; scope does not match”}
What am I missing? Is it a different scope?
Good to hear you’ve found a use for that API and it’s returning the information you need to know about that Service Account’s credentials and scopes.
Is it a different scope?
Yes. Refer to the Get all boards endpoint’s documentation.
The two scopes needed for that endpoint are read:board-scope:jira-software and read:project:jira.
Thanks, this works. Now I can iterate further.
If anyone from Atlassian is reading - it would be nice to see the scopes in UI after token is created.
There’s already Feature Request AX-1687 in JAC for that.
Add your vote!