Reminder: Migrate from using API tokens to officially supported authentication for Atlassian apps & integrations

Hi Marketplace partners, following our earlier guidance on building secure, scalable integrations https://www.atlassian.com/blog/developer/building-secure-and-scalable-integrations-our-guidance-for-third-party-apps , this is a reminder to complete your migration away from collecting or storing Atlassian API tokens (Cloud) and to use officially supported authentication (Forge or 3LO/OAuth 2.0).

Additionally, Atlassian is introducing new controls that will impact API tokens usage:

• API tokens are subject to new rate limits (see: https://developer.atlassian.com/cloud/jira/platform/rate-limiting/#rate-limits-on-api-tokens),

• Apps that rely on API tokens will not be eligible for Runs on Atlassian badge (see Forge changelog: Runs on Atlassian eligibility update).

• A new disclosure on API token collection is added to Privacy and Security tab under Security and compliance section.

Whats Changing

• Apps and integrations should not instruct customers to generate/share any API tokens belonging to Atlassian accounts (including user and admin), and apps must not store Atlassian user credentials.

• Migration deadline: Complete the authentication migration by December 31st, 2025.

• Enforcement timeline: starting January 1st, 2026, apps that continue to collect or store personal API tokens will be subject to enforcement and may no longer be supported.

Support:

• If you received an ADDON ticket from Atlassian regarding API token collection, please continue to collaborate with us. Atlassian is committed to supporting your app and assisting you as we explore migration steps.

• If you did not receive an ADDON ticket but believe your app is impacted, contact our developer support portal https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/109/create/579 before December 31st, 2025, so we can review your case.

Take Action Now:

• Review and update your app or integration to use officially supported Forge or 3LO/OAuth 2.0 authentication and remove any collection or storage of personal API tokens.

• If you haven’t already done so, reply in your ADDON ticket with all endpoints your app uses to authenticate with API tokens, and share your migration plan.

• Your app uses API tokens and you did not receive an ADDON ticket, contact support before December 31st, 2025 to initiate a review.

For best practices, please see Atlassian’s guidance:

• https://www.atlassian.com/blog/developer/building-secure-and-scalable-integrations-our-guidance-for-third-party-apps

• https://developer.atlassian.com/platform/marketplace/security-requirements-faq/#are-apps-prohibited-from-collecting-atlassian-user-account-api-tokens-even-after-taking-the-user-s-consent-

• https://developer.atlassian.com/platform/marketplace/security-requirements/

Can you elaborate if and how this affects service accounts? Understand service accounts | Atlassian Support

Hello @SrivathsavGandrathi

This is a tiny gripe, but Personal Access Tokens (PATs) are for the Data Center products, not the Cloud products. Avoid using the acronym ‘PAT’ when referring to Cloud API Tokens.

Thank you for the feedback, i corrected the post.

@andreas.schmidt Let me get back to you on this.

To clarify, the guidance to migrate away from API tokens to officially supported authentication methods applies equally to both user accounts and service accounts. From a security perspective, API tokens—whether generated for a user or a service account—present the same risks when shared or stored by third-party apps and integrations.