Understand Atlassian Rovo MCP server
The Atlassian Rovo MCP (Model Context Protocol) server allows tools, like AI assistants and developer environments, to securely access Jira, Confluence, and Compass data. This enables your AI tools to perform actions, such searching for work items, summarizing pages, or bulk-creating new content via natural language commands.
What are Atlassian-supported domains?
Atlassian-supported domains are a list of Atlassian AI partners. Atlassian works with AI companies like Anthropic or OpenAI that create AI tools like Claude.ai or ChatGPT.
Atlassian-supported domains allow you to connect AI tools that meet Atlassian standards to Jira, Confluence, and Compass. By default, we automatically allow the Atlassian-supported domains that enable OAuth connections between AI tools and the Atlassian apps in your organization.
You can block all Atlassian-supported domains from accessing apps in your organization. You cannot block individual domains. You can only allow or block the entire domain list. See Block Atlassian-supported domains for more details.
Authorize your domains
You can authorize access to the Atlassian Rovo MCP server for AI tools that you trust. When you add a domain, this approves it for users in your organization to connect to AI tools. See Add domains for details.
How IP allowlisting works with Atlassian Rovo MCP server
IP allowlisting is an Atlassian Cloud security control that restricts access to your products based on trusted source IP addresses or ranges. If your organization uses IP allowlisting, those policies also apply when users access Jira, Confluence, Compass, or Rovo through the Atlassian Rovo MCP Server.
Where you manage IP allowlists
You manage IP allowlists in Atlassian Administration, not in the Atlassian Rovo MCP Server settings.
For details on how to configure IP ranges and which Atlassian apps are supported, see Specify IP addresses for app access.
How IP allowlists affect MCP server usage
When a user runs tools through the Atlassian Rovo MCP server, the request is evaluated against your organization’s IP allowlist for the relevant Atlassian app (for example, Jira, Confluence, Compass, or Rovo).
If the user’s IP address is allowed, the tool call proceeds, subject to their normal Atlassian app permissions.
If the user’s IP address is not allowed, the tool call is blocked and the user sees an error similar to:
You don't have permission to connect from this IP address. Please ask your admin for access.
The OAuth 2.1 consent screen may still appear for users connecting from blocked IPs, but tool calls will fail until their network is included in the organization’s IP allowlist.
How IP allowlists relate to domain settings
The Atlassian Rovo MCP server exposes two complementary controls:
Domain settings (on this feature): control which AI tools and domains are allowed to connect to your organization.
IP allowlists (organization-level): control where users can connect from, regardless of which AI tool they use.
For a tool call to succeed, it must:
Come from a domain that you allow in the Atlassian Rovo MCP server settings, and
Originate from an IP address that is allowed by your organization’s IP allowlists (if configured).
Note, some AI tools set their own outbound IP addresses. This means if a user tries to connect using the AI tool from an allowed network – for example, their corporate VPN – the calls may still be blocked unless the tool’s IP ranges are also added to the allowlist.
Disclaimer
MCP clients can perform actions in Jira, Confluence, and Compass with your existing permissions. Use least privilege, review high‑impact changes before confirming, and monitor audit logs for unusual activity.
Learn more: MCP Clients - Understanding the potential security risks
Was this helpful?