Control Atlassian Rovo MCP server settings

The Atlassian Rovo MCP server enables AI tools, like Claude.ai or ChatGPT, and other MCP‑compatible tools to securely connect to Jira, Confluence, and Compass. As an admin, you can control:

Which tools and domains are allowed to connect
How tools authenticate, including OAuth 2.1 (default, recommended) and using API tokens (advanced)
How these settings work with your existing security controls, such as IP allowlisting and app management policies

To see which domains are available and how to add your own, see Available Atlassian Rovo MCP server domains.

You can only block domains for AI tools that use OAuth 2.1, but not when they use API tokens to access your organization.

Block Atlassian-supported domains

To block Atlassian-supported domains:

Go to Atlassian Administration. Select your organization if you have more than one.
Select Apps > AI settings > Rovo MCP server.
Deselect Allow Atlassian supported domains.

What are Atlassian-supported domains?

Add domains

You can add domains you trust to enable integrations with specific AI tools.

To add a domain:

Go to Atlassian Administration. Select your organization if you have more than one.
Select Apps > AI settings > Rovo MCP server.
Select Add domain.

How to format domain URLs

Delete domains

You can remove domains from your organization to prevent AI tools from accessing your apps.

To delete a domain:

Go to Atlassian Administration. Select your organization if you have more than one.
Select Apps > AI settings > Rovo MCP server.
From the domain, select Delete.

Configure authentication

By default, users connect AI tools to Atlassian Rovo MCP server using OAuth 2.1.

Additionally, you can also allow tools to connect using an API token, which is useful for:

Service‑style or non‑interactive tools that need consistent access without user prompts
Backend systems or automations that call Atlassian Rovo MCP server on behalf of a shared account

Authentication controls how tools authenticate, and works together with your existing controls:

Domains – The Atlassian Rovo MCP Server settings control which AI tools and domains are allowed to connect. A tool must use a domain that is allowed here, whether it connects via OAuth 2.1 or API token.
IP allowlists – Your organization’s IP allowlists still control where users and tools can connect from. Requests made through Atlassian Rovo MCP server must originate from an IP address that is allowed by your organization’s IP allowlist for the relevant Atlassian app, regardless of whether the tool uses OAuth 2.1 or an API token.

Disabling authentication via API token does not change allowed domains or IP allowlists. It only prevents tools from using API tokens to authenticate with the Atlassian Rovo MCP server. If disabled, users will be advised to contact their admin for access. See Authentication and authorization.

To control whether tools can authenticate via API token:

Go to Atlassian Administration. Select your organization if you have more than one.
Select Apps > AI settings > Rovo MCP server.
In the Authentication section, turn API token on or off.

How IP allowlisting works with Atlassian Rovo MCP server

IP allowlisting is an Atlassian Cloud security control that restricts access to your products based on trusted source IP addresses or ranges. If your organization uses IP allowlisting, those policies also apply when users access Jira, Confluence, Compass, or Rovo through the Atlassian Rovo MCP Server.

Where you manage IP allowlists

You manage IP allowlists in Atlassian Administration, not in the Atlassian Rovo MCP Server settings.

For details on how to configure IP ranges and which Atlassian apps are supported, see Specify IP addresses for app access.

How IP allowlists affect MCP server usage

When a user runs tools through the Atlassian Rovo MCP server, the request is evaluated against your organization’s IP allowlist for the relevant Atlassian app (for example, Jira, Confluence, Compass, or Rovo).

If the user’s IP address is allowed, the tool call proceeds, subject to their normal Atlassian app permissions.
If the user’s IP address is not allowed, the tool call is blocked and the user sees an error similar to: You don't have permission to connect from this IP address. Please ask your admin for access.

The OAuth 2.1 consent screen may still appear for users connecting from blocked IPs, but tool calls will fail until their network is included in the organization’s IP allowlist.

How IP allowlists relate to domain settings

The Atlassian Rovo MCP server exposes two complementary controls:

Domain settings (on this feature): control which AI tools and domains are allowed to connect to your organization.
IP allowlists (organization-level): control where users can connect from, regardless of which AI tool they use.

For a tool call to succeed, it must:

Come from a domain that you allow in the Atlassian Rovo MCP server settings, and
Originate from an IP address that is allowed by your organization’s IP allowlists (if configured).

Note, some AI tools set their own outbound IP addresses. This means if a user tries to connect using the AI tool from an allowed network – for example, their corporate VPN – the calls may still be blocked unless the tool’s IP ranges are also added to the allowlist.

Disclaimer

MCP clients can perform actions in Jira, Confluence, and Compass with your existing permissions. Use least privilege, review high‑impact changes before confirming, and monitor audit logs for unusual activity.

Learn more: MCP Clients - Understanding the potential security risks

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community