Monitor Atlassian Rovo MCP server activity
As an administrator of Atlassian apps, you may be concerned about MCP (Model Context Protocol) servers gaining access to your data. Atlassian provides some tools that can help you control which AI tools can access your site’s data.
Options to monitor and manage MCP activity
The following table contains details of what’s currently covered.
Function | Location | Description | More info |
|---|---|---|---|
For visibility MCP tool invocation logging (Available for all tiers) | Atlassian Administration > Insights > Audit log Filter for Rovo MCP User Actions or search MCP | Every time a tool is used through the Atlassian Rovo MCP server, an event is recorded in your organization’s audit log. Each entry includes the tool name, action, and user who performed it. | |
For visibility An OAuth app is installed for the first time (Requires Guard Standard) | Atlassian Administration > Insights > Audit log Type MCP in the search field. | Audit logs show when and which user used OAuth to authorize using the Atlassian Remote MCP server (which will automatically install the Atlassian MCP app). Note: If additional users authorize the app, they do not appear in the audit log. | |
For control Block/allow user-based OAuth connections | Atlassian Administration > Apps > Sites (select a site) > Site settings > Connected apps > Settings tab | Prevent users from installing any OAuth apps completely. This is a blanket setting. |
Monitor API token usage in authentication
When your organization uses authentication via API token for Atlassian Rovo MCP server, tools may connect using an API token instead of per‑user OAuth consent. This can change how activity appears in your audit logs:
Tool calls may run under a service account or technical user associated with the API token.
Audit logs will reflect actions performed by that account, rather than individual end users in the AI tool.
You may not see separate audit log entries for each user of the external tool when authentication via API token is used.
To reduce risk when using authentication via API token:
Use a least‑privilege account for any API tokens used with Atlassian Rovo MCP server.
Regularly review audit logs for that account to detect unusual or unexpected activity.
Rotate or revoke API tokens if you suspect they’ve been compromised or misused.
You can choose to disable this authentication method in the Atlassian Rovo MCP server settings, to prevent users from connecting via API token. When disabled, a user trying to connect with an API token will see an error similar to: You don't have permission to connect via API token. Please ask your admin for access.
To learn how to control whether users can connect via API token, see Control Atlassian Rovo MCP server settings.
Disclaimer
MCP clients can perform actions in Jira, Confluence, and Compass with your existing permissions. Use least privilege, review high‑impact changes before confirming, and monitor audit logs for unusual activity.
Learn more: MCP Clients - Understanding the potential security risks
Was this helpful?