401 Unauthorized error when service account accesses Jira or Confluence API

Summary

When you use a service account to attempt to interact with the Jira and/or Confluence Cloud REST API, the response code 401 is returned, or the response indicates permission issues.

There are two types of API tokens:

• The general API Token

• The more specific API token with scope

Service accounts can only create scoped API tokens.

Solution

Ensure correct API endpoint URLs are used

As listed in our documentation on service accounts, scoped API tokens use a different URL structure when accessing the REST API. For example:

• Jira scoped token API: https://api.atlassian.com/ex/jira/<cloudId>/{api}

  • NOT: https://<your-domain>.atlassian.net/{api}

• Confluence scoped token API: https://api.atlassian.com/ex/confluence/<cloudid>/{api}

  • NOT: https://<your-domain>.atlassian.net/{api}

To correct errors returned by the API when using a service account's API token, use the appropriate URL format for the API token type.

Third-party integration errors

 Integrations may ask you to indicate a user account and an API token to connect to Jira. These integrations very likely don't "know" there are two types of tokens and two URL formats, and there is no way to distinguish them just from the token itself.

If an integration requires an API token and does not specify which type it needs, we can assume it is asking for a non-scoped API token. The API token with scopes, as generated for Service accounts, will not work in an integration unless specifically accounted for in the app's development. If you experience issues with integrations and Service Accounts, please reach out to the third-party app vendor to confirm whether they support API Tokens with scopes.

Please refer to CLOUD-12617: Add support for atlassian.net when sending web requests with scoped API tokens to avoid permission errors, which was raised requesting API Tokens with scopes to support the mysite.atlassian.net URL format