Major changes to Jira Cloud REST APIs are coming to improve user privacy

Throughout 2018 and 2019, Atlassian will undertake a number of changes to our products and APIs in order to improve user privacy in accordance with the European General Data Protection Regulation (GDPR). In addition to pursuing relevant certifications and data handling standards, we will be rolling out changes to Atlassian Cloud product APIs to consolidate how personal data about Atlassian product users is accessed by API consumers.

A summary of all relevant API changes has been posted in the JIra Cloud Platform API docs:



I have a question regarding the user’s privacy setting for retrieving their displayname and emailaddress by using the API.

Will the default configuration allow us to retrieve the information or will it be restricted, and are addons notified when this setting changes?


Life of a cloud vendor ain’t easy :roll_eyes:


Hi @t.kamp,

We’re still in the process of finalizing our approach on this, we will let you know when we have more information.

1 Like

Hi @dmeyer,

Thanks for keeping me updated. I would like to share how this would impact our app and possibly lots of other apps in the marketplace.

We are working on Atlas CRM which makes it possible to manage sales from within Jira. This particular part of Atlas CRM focuses on collaborating with your team to close more sales in the sales funnel.

The features that we build for sales are very alike to the features that exist for issues in Jira. These features rely on the information that might be restricted in the future. Just to name a few features that are impacted by this restriction;

  • Assigning Atlassian users to sales;
  • Filtering sales based on assigned Atlassian users;
  • Writing notes for sales (comments, communication);
  • Activity feed;
  • etc.

As you may have noticed we use the information of Atlassian users to improve the user experience of our app. If this personal information is going to be private (by default), our users will be missing out on a lot of functionality that our add-on provides.

Kind regards,
Timo van der Kamp

1 Like

Hi - This user related change will heavily impact our app.

It wont be easy to migrate everything from user_key to AccountID.

Is there any other vendor who is also facing same issues? How should we address this? And is there any timeline when user_key will be removed?

Thank You.

@dmeyer / @nmansilla - The User API change has massive impact on our Product. Migration from UserKey to AccountId across our customer base and it also has impact on what they are seeing today. The End Users are not going to like this and this is not good for any vendor.

1 Like

To request an OAuth 2.0 access token you currently need to provide the user’s user-key. Is this also going to change to account-id?

1 Like

and what about asUser() method in atlassian-connect:

I expect it will work with accountId insdead of userKey. (for now it works with both of them)

Thank you.

Timo, on Major changes to Atlassian Connect APIs are coming to improve user privacy, we have listed the elements of the Atlassian Connect API that will change with GDPR.

The “sub” claim of the OAuth 2.0 JWT Bearer token authorization grant currently requires a user key. Apps will instead need to provide the Atlassian Account ID (AC-2409).

From each issue on that page, you will find related issues linked. The API change you are asking about is tracked on AC-2437 and is available in production since a week ago.

1 Like

@avelit, changes to the atlassian-connect-express library for GDPR are tracked on ACEJS-115.

@epehrson, I recently upgraded one of my apps to ACE v3.2.0 which includes support for these changes.

As a result, my application logs are now full of deprecation warnings (2 x sets of these messages for every request made from the host product to my app):

Please note that timezone, locale, userId and userKey context parameters are deprecated.

Is there a way to suppress these messages (my app doesn’t rely on any of the deprecated parameters, so no changes were required to my app); or do I just need to wait until the end of the deprecation period? (which is when?)

The description in ACEJS-115 is “Enable apps to opt-in to using GDPR-compliant APIs.”, but there doesn’t appear to be any details on how apps are able to opt-in? (or in this instance does “apps” == “Atlassian Connect Express”?)

Hi @scottohara,

Wrt how apps can opt-into GDPR changes - the documentation and migration guide has not been published yet. Please watch for announcement soon. We expect to publish detailed info within 2 weeks from now.