Status of API tokens/keys when a user who generated the token/key has left the organization

Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.

Summary

The ability to generate an API token/key is one of the utilities that Atlassian offers for securely providing authentication and authorization for a particular resource. This article addresses the question of whether the token/key would be active even when the user who generated the token/key has left the organization.

Environment

Jira cloud

Solution

It's important to understand whether the API key has been generated from the admin portal or has generated the API token on the Atlassian user portal.

API Key:

  • If any admin leaves the organisation, the API key they generated for the org would remain active in the org as stated in the following documentation: Manage an organization with admin APIs.

    API keys are associated with the organization and not individual admins. When an admin generates an API key, they exclusively hold the privilege to access the confidential API key value, irrespective of other admins within the organization.

    It is highly recommended to revoke any prior API keys that were accessible to former admins.

API token:

  • However, if an API token has been generated from user portal, the token access is revoked once the user account has been deleted from the site. In such scenarios, it is recommended to cross-check if the respective API tokens from a user (to be deleted) are used in any automation rules containing "Send web request" actions or external scripts. This is to ensure there is no disruption in service due to authentication problems as the token passed would be invalidated. 

  • When a user is deactivated or unsynced via SCIM, that does not automatically remove their site or product access. As long as the account still has access to your Jira or Confluence site, their user API tokens remain usable and REST calls will continue to succeed.

    To fully prevent their API tokens from being used against your site, you need to:

    • Remove their site/product access or suspend/delete the Atlassian account, and/or

    • If you use Atlassian Guard (Access), revoke their API tokens from the admin side.

Updated on March 9, 2026
Platform
Cloud only
Apps
Jira Software Cloud
Jira Service Management Cloud
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community