This changelog is the source of truth for all changes to the Cloud Admin APIs.
We will not be issuing any new waivers for apps that need to request or store Atlassian user API tokens. This decision is part of our ongoing commitment to enhancing security and protecting customer trust.
Forge Apps that have already been granted waivers must ensure a lack of alternative solutions within Forge. They can continue to operate, but no additional waivers will be granted for new modules or new functionality within the same app.
Connect apps that have been granted waivers and any existing Connect app requesting or storing Atlassian user API tokens are required to migrate to Forge, with tokens stored in Forge encrypted storage.
For more details, read our FAQ
We're excited to introduce a suite of new Admin APIs designed to enhance your management of user accounts and streamline integration with SCIM. These APIs provide powerful tools to manage user data and access efficiently.
Delete User in SCIM Database Using Atlassian Account ID (AAID) Effortlessly remove a user from your SCIM database by referencing their Atlassian Account ID. Explore more
Retrieve SCIM Links for an Atlassian Account ID (AAID) within an Organization Access all SCIM-related links associated with a specific Atlassian Account ID in your organization. Explore how
Retrieve SCIM Links for an Email Address within an Organization Obtain SCIM links by simply using an email address, streamlining the process of managing user connections. Explore more
Unlink a SCIM User from Their Atlassian Account Decouple a SCIM user from their Atlassian account with ease, ensuring flexibility in user management. Explore more
We are changing the expiration duration of existing API tokens. Currently, existing API tokens have an infinite duration. To make API tokens more secure, we are automatically setting the expiration for all existing API tokens to one year.
On March 13, 2025, existing API tokens created without expiry will be assigned an expiry date. Your token will not expire sooner than 12 months from this date.
Understand more about managing API tokens for your Atlassian account
On February 18th, we announced that we will begin enforcing REST API (Quota and Burst based) rate limits for all free Jira and Confluence apps on or after August 18, 2025 and that we have added additional headers to provide further transparency.
To ensure Marketplace partners are able to decipher whether or not they’re facing actual rate limits, we have rolled out beta- prefixed headers. These will appear to notify partners that they would have breached the upcoming quota and burst based rate limits. The headers will be as follows:
Beta-Retry-After
X-Beta-RateLimit-NearLimit
X-Beta-RateLimit-Reason
X-Beta-RateLimit-Reset
However, if you do receive headers without beta-, be advised that you are facing rate limits.
Learn more about the new limits and headers for Jira here and Confluence here.
To enhance the performance and scalability of the Atlassian cloud platform, we have introduced a new events polling endpoint for retrieval of events in a simple, paginated manner with time-based filtering only.
For more advanced filtering use the existing events API endpoint.
To gain a deeper understanding of the API and assist with your migration process, refer to this comprehensive guide. (add link)
To improve performance and address constantly evolving threats on the web, Atlassian is enabling AWS Cloudfront Content Delivery Network (CDN) and Web Application Firewall (WAF) for all Confluence and Jira Cloud Customers.
This rollout will occur over the next few months, country by country, progressively, with each country taking around 1-2 weeks to complete the migration.
This improvement may unfortunately impact some Jira and Confluence Cloud API integrations (like those written in Python, Node/JS, Java, libcurl, Axios, atlassian-connect-express etc) that attempt to make requests with URLs (including path and query string) longer than 8192 characters/bytes.
Where previously Jira and Confluence Cloud APIs handled paths longer than 8192 characters/bytes, AWS Cloudfront will actively reject such requests:
The maximum length of this URL is 8192 bytes.
If a request or a URL exceeds these maximums, CloudFront returns HTTP status code 413, Request Entity Too Large, to the viewer, and then terminates the TCP connection to the viewer.
Unfortunately, it is not possible to configure Cloudfront to allow longer URLs.
Atlassian products such as Loom, Trello, Opsgenie, Statuspage etc already reject 8192 characters/bytes urls.
For resolution instructions see more details below.
To resolve the issue, break up API calls into multiple requests, or restructure your API call such as using labels or field filters instead of enumerating individual work items.
I saw the error in my Chrome/Firefox/Edge/Safari etc browser
If you observed the aforementioned error in your browser please contact Atlassian Support, and ideally include the full text of the error, including Trace ID, and a HAR file covering the error: https://confluence.atlassian.com/kb/generating-har-files-and-analyzing-web-requests-720420612.html
We have recently noticed an unusual increase in API usage. In order to maintain reliable services for both Atlassian customers and partners, we will begin enforcing more granular rate limits for Confluence and Jira APIs.
We will begin enforcing REST API (Quota and Burst based) rate limits for all free apps on or after August 18, 2025. We have added additional headers to provide further transparency. Please monitor header responses to see where you are at with regard to limits.
In some circumstances where apps are highly impacting the stability of our platform, we reserve the right to enforce the limits at an earlier date. We will notify your listed contact via email if you are impacted. Additionally, we are planning to bring clarity to rate limits across our platform infrastructure over the next year, including paid apps.
We recommend all customers and partners ensure they're not exceeding the rate limits so that they do not get impacted at a later date.
Learn more about the header responses and read relevant FAQs about rate limiting adjustments for Jira here and Confluence here.
You can now Assign roles to a group, Revoke roles from a group and Invite user to an org via APIs.
These will help you:
Grant and revoke product access to groups.
Invite user to org and add them to the directory.
Assign a role for a given resource
The APIs are in limited availability and access. The development, release, and timing of any features or functionality described herein remain at the sole discretion of Atlassian and are subject to change. Please reach out to Atlassian support to get access to the APIs.
You can now Grant user access and Revoke user access via APIs.
These will help you:
Grant Platform Roles to a user
Revoke Platform Roles from a user
The APIs are in limited availability and access. The development, release, and timing of any features or functionality described herein remain at the sole discretion of Atlassian and are subject to change. Please reach out to Atlassian support to get access to the APIs.
Moving forward API tokens will no longer have an an infinite lifespan. It will now have a default maximum 1-year expiry duration for API tokens. If you have Atlassian Guard, you will be able to set a shorter API token expiry duration via an authentication policy. Enforcing default expiry increases admin control over token management, improving your organization’s security posture.
What’s the update?
All existing API tokens created by users will have a default expiry duration of 1-year
Any new API token created by users after 18 December 2024 will have a default expiry duration of 1-year
When users try to access APIs with an expired API token, they will get an authentication error
Admins with Atlassian Guard will be able to configure the expiry of API tokens via an authentication policy
What action do I need to take?
No action is required
If you wish to configure the expiry of API tokens, you will need to do so via an authentication policy (available in Atlassian Guard)
To learn more about managing API tokens at your organization, please review our documentation.
We have added a new API to retrieve authentication policy information for a specified list of managed users.
This feature supports bulk actions, allowing information to be gathered for multiple users simultaneously.
This API allows you to retrieve the following information:
policyId
Date the user was added to the policy
We're announcing new IP ranges that will soon be available for requests from external clients, such as browsers and API integrations:
13.35.248.0/24
13.227.180.0/24
13.227.213.0/24
These ranges won't be used to make outgoing connections from Atlassian Cloud to remote systems, for example, webhooks.
To prepare for this change, update your firewalls and other security measures to allow connections to the new IP ranges.
For more information, see IP addresses and domains for Atlassian Cloud products, which includes instructions on how to receive notifications of changes, as well as links to machine-readable lists of our IP ranges.
We are introducing two new authentication policy APIs to help keep your organization more secure. You can now:
These APIs provide a set of rules that apply to a specific area and a particular group. Use these APIs to:
Create data security policy
Create a data residency policy
Specify IP addresses for product access
This API will delete the user in our SCIM DB with your Atlassian Account ID (AAID). This will apply to all directories in your organization matching that AAID and only works for managed users.
Explore the API.
Rate this page: