Rest API Auth Possibilities


i want to integrate web application with jira cloud rest api and webhooks. In the documentation is mentioned basic/OAuth 1.0a. Is it possible to use OAuth 2.0/JWT in some way? I saw OAuth 2.0/JWT in attlasion connect, but i dont want to extend the jira UI, i just want to make changes to existing jira cloud (like creating issues etc.), be notified about changes and query data - or does the connect make sense in API use only?

Thanks and best regards,


Hi @m.novak,

OAuth 2 as you describe isn’t currently supported but we are working to add support:

You can create an Atlassian Connect app for Jira and use this to make API requests without extending the UI – the main limitation is that users will need to install the app into their Jira site, and you will need some way to authenticate back to your existing web application.


Thanks @dmeyer. I’am just not sure how authentication with Atlassian Connect works yet.

From what i read… Server part of my application can have API which serves application descriptor. Than admin of given Jira Cloud “installs” Atlassian Connect app (links my API of descriptor) , than jira gives my app security context for given Jira Cloud and Admin user (which installed the app descriptor). Later in my app i can use OAuth2 bearer token (after some rest calls) to create issue (but only on behalf of admin which installed app - because i can have only his bearer token). It that right?



Hi @m.novak, once you have the bearer token you can use it to impersonate any user in Jira (it’s a site-wide grant). But if you are triggering the actions in an external application, you will need to find a way to associate users in Jira with users in your application.

1 Like

Hi @dmeyer , is there a best practice for managing authentication to an external API (not the Jira REST API)? I have a Web Panel that I want to query my app’s backend, but I’m not sure where I can manage app secrets to authenticate to the backend.

The Jira + GitHub integration flow seems like what I want (, but I’m not sure exactly how this DVCS connector works. Do I have to develop a form for the user to input the app key/secrets like this, or is there a standardized way of doing this?

I need a place within Jira to allow the user to stick my app’s API keys. Then, ideally, the secrets can be used to generate a token that I can pass to my Web Panel, which then uses that token to query my API. A bit of a windy path, but seems like the correct way to do given the tools.

Is there a way to achieve this flow? Thanks!

Perhaps the “more correct” way to do this is to push the state of my backend to Jira using the Jira REST API. However, that seems like it won’t scale that well. If I have 1 million objects in my backend and 1 million tickets (1 to 1 relationship), updating each object’s state change in Jira would be bad. If I needed to introduce a new property to my object model in my backend, updating Jira with all of those would be taxing. Much more streamlined to simply change the look up in my Web Panel. Thoughts?

For anyone who is looking for guidance in the future, I ended up using the atlassian-connect-express with success. The framework offers JWT authentication to the add-on backend, which allows you to ensure the user is authenticated in Jira. Then, make the call to your own backend API from the plugin backend. The add-on backend essentially acts as a proxy to my own API. Unfortunately, this means more moving parts, however, it addresses the security issue.

1 Like

This is the recommended path. Thanks @karan