Well @JnisVanags I dug deeper and deeper and have some bad news. The documentation for the API Access APIs is very misleading!
The API Token endpoints all say things like “Gets count of API tokens for specified service accounts within an organization” or “Retrieves API tokens for a specific service account within an organization” but it’s not quite true. Those endpoints consider tokens as being the API Token type that contain Classic scopes, so those endpoints can find and return them, and tell you their details like creation date, expiry date etc, as well as all the scopes inside them.
However, those endpoints do not consider OAuth 2.0 credentials as tokens, so you can’t get any information at all about those or any of their inner Classic or Granular scopes!
This means, that after the OAuth 2.0 credential + scopes have been created for the Service Account, you cannot retrieve that information from the GUI or any API endpoint ever again! This makes giving the credentials a very, VERY informative name even more important.
I’ve spent some time liaising with ChatGPT validating this. After I got it to correct its own mistakes (sheesh, that’s tiresome), it finally accepted what I found and provided this cheat sheet as to what information you can or can’t get from those API Access endpoints about Service Accounts:
Atlassian Cloud Admin APIs – Service Account Credential Cheat Sheet
| Credential Type | Scope Type | How Created in GUI | Counted by credentialsCount? |
Appears in GET /api-tokens? |
|---|---|---|---|---|
| API Token | Classic | Service Account → Add Credential → API Token → add classic scopes |  Yes |
Yes (full token details: scopes, expiry, etc.) |
| OAuth 2.0 | Classic | Service Account → Add Credential → OAuth 2.0 → add classic scopes |  No |
No |
| OAuth 2.0 | Granular | Service Account → Add Credential → OAuth 2.0 → add granular scopes | No |
No |