Cloud Admin changelog

We recently introduced new Directory, Users, and Groups REST APIs, available for all customers to manage their users and groups. These APIs supersede several existing REST APIs, which we’re removing in June 2026.

The following v1 APIs will stop working after June 30, 2026:

Users

• Search for users in an organization: POST/v1/orgs/{orgId}/users/search

• Suspend user access: POST/v1/orgs/{orgId}/directory/users/{accountId}/suspend-access

• Restore user access: POST/v1/orgs/{orgId}/directory/users/{accountId}/restore-access

• Remove user access: DEL/v1/orgs/{orgId}/directory/users/{accountId}

Groups

• Search for groups within an organization: POST/v1/orgs/{orgId}/groups/search

• Create group: POST/v1/orgs/{orgId}/directory/groups

• Delete group: DEL/v1/orgs/{orgId}/directory/groups/{groupId}

• Assign roles to a group: POST/v1/orgs/{orgId}/directory/groups/{groupId}/roles/assign

• Revoke roles from a group: POST/v1/orgs/{orgId}/directory/groups/{groupId}/roles/revoke

• Add user to group: POST/v1/orgs/{orgId}/directory/groups/{groupId}/memberships

• Remove user from group: DEL/v1/orgs/{orgId}/directory/groups/{groupId}/memberships/{accountId}

These v1 APIs are only available to customers with the centralized user management experience.

We updated the Get users in an organization API to expand the response, add more fields, and support more filters.

Expanded response

Previously, this API only returned users in your directories. Now, this API will also return your organization’s managed accounts, even if they’re not in a directory.

New fields

Additionally, these new fields will be returned for managed accounts:

• managementSource — Whether this account was manually invited to a directory or synced from an identity provider

• mfaEnabled — Whether or not two-step verification is enabled on this account

• forDeletion — Whether or not this account is scheduled for deletion

• jobTitle — Job title of the user

• department — Department the user belongs to

• organization — Organization the user belongs to

• location — Location of the user

• timeZone — Time zone the user is in

Many of these fields are also returned in the existing Identity API to Retrieve a user profile and synchronization data (all data).

New filters

The following request filters are now available for Get users in an organization API:

• emailVerified — Filter accounts by whether or not their email has been verified

• mfaEnabled — Filter accounts by whether or not two-step verification is enabled on the account

• forDeletion — Filter accounts by whether or not they’re scheduled for deletion

• emailDomains — Filter by email domain of the account (only possible with verified domains)

We updated the Get count of users in an organization API to support more filters.

The following request filters are now available for Get count of users in an organization API:

• emailVerified — Filter accounts by whether or not their email has been verified

• mfaEnabled — Filter accounts by whether or not two-step verification is enabled on the account

• forDeletion — Filter accounts by whether or not they’re scheduled for deletion

• emailDomains — Filter by email domain of the account (only possible with verified domains)

We updated the Get user stats API to expand the response. The response will now include claimStatus, which provides the total number of managed accounts claimed by your organization.

We are introducing new Directory, User, and Group APIs. These APIs are designed to work seamlessly with both centralized user management experience and the original user management experience, providing enhanced flexibility and control for managing users and groups within your organization.

• Get directories in an organization
  Retrieve a paginated list of directories in your organization that match the supplied parameters.

• Get users in an organization
  Retrieve a paginated list of users in your organization that match the supplied parameters.

• Get user role assignments
  Retrieve a paginated list of role assignments for a user that match the supplied parameters.

• Suspend user access in directory
  Temporarily suspend a user’s access in a directory, removing their access to apps.

• Restore user access in directory
  Restore a user’s access in a directory, allowing them to access apps again.

• Remove user from directory
  Remove a user from a directory to revoke their access and remove them from the directory.

• Get count of users in an organization
  Retrieve the count of users in your organization that match the supplied parameters.

• Get user stats
  Retrieve user statistics for your organization.

• Get groups in an organization
  Retrieve a paginated list of groups in your organization that match the supplied parameters.

• Create group
  Create a new group in a directory to manage app access and permissions for multiple users.

• Get group details
  Retrieve detailed information about a specific group.

• Delete group
  Delete a group from a directory if it is no longer needed.

• Get group role assignments
  Retrieve a paginated list of role assignments for a group that match the supplied parameters.

• Grant access to group
  Assign a role to a group, granting all members the same role.

• Remove access from group
  Revoke a role from a group, removing app access from all members.

• Get the count of groups in an organization
  Retrieve the count of groups in your organization that match the supplied parameters.

• Get group stats
  Retrieve group statistics for your organization.

• Add user to group
  Add a user to a group, granting them the same app access and permissions as the group.

• Remove user from group
  Remove a user from a group, revoking any app access and permissions granted by the group.

We've implemented a new rate limit for invoking the last-active-dates API, capped at 200 requests per 60 seconds. The existing standard rate limits for all APIs can still apply for varying reasons. When writing APIs, ensure that you are handling exponential back-offs by reading the rate limit response headers.

Atlassian Team entities are now able to be modified via many existing Group APIs if a Team ID is passed instead of a Group ID. They will not be returned in search or lookup results. They can be fetched and modified by ID.

This new API endpoint allows users to retrieve a paginated list of directories within an organization that meets specified criteria.

It supports filtering and pagination to efficiently manage and access directory data based on the provided parameters.

All Policies V2 APIs have been marked as deprecated and will be temporarily disabled. We are currently working on updates and improvements, and the updated APIs will be re-enabled and available for use soon.

Here is the list of APIs that are affected by this change:

• Get list of policies V2

• Create a new policy V2

• Get single policy V2

• Update single policy V2

We will not be issuing any new waivers for apps that need to request or store Atlassian user API tokens. This decision is part of our ongoing commitment to enhancing security and protecting customer trust.

Forge Apps that have already been granted waivers must ensure a lack of alternative solutions within Forge. They can continue to operate, but no additional waivers will be granted for new modules or new functionality within the same app.

Connect apps that have been granted waivers and any existing Connect app requesting or storing Atlassian user API tokens are required to migrate to Forge, with tokens stored in Forge encrypted storage.

We're excited to introduce a suite of new Admin APIs designed to enhance your management of user accounts and streamline integration with SCIM. These APIs provide powerful tools to manage user data and access efficiently.

1. Delete User in SCIM Database Using Atlassian Account ID (AAID) Effortlessly remove a user from your SCIM database by referencing their Atlassian Account ID. Explore more

2. Retrieve SCIM Links for an Atlassian Account ID (AAID) within an Organization Access all SCIM-related links associated with a specific Atlassian Account ID in your organization. Explore how

3. Retrieve SCIM Links for an Email Address within an Organization Obtain SCIM links by simply using an email address, streamlining the process of managing user connections. Explore more

4. Unlink a SCIM User from Their Atlassian Account Decouple a SCIM user from their Atlassian account with ease, ensuring flexibility in user management. Explore more

We are changing the expiration duration of existing API tokens. Currently, existing API tokens have an infinite duration. To make API tokens more secure, we are automatically setting the expiration for all existing API tokens to one year.

• On March 13, 2025, existing API tokens created without expiry will be assigned an expiry date. Your token will not expire sooner than 12 months from this date. 

Understand more about managing API tokens for your Atlassian account

On February 18th, we announced that we will begin enforcing REST API (Quota and Burst based) rate limits for all free Jira and Confluence apps on or after August 18, 2025 and that we have added additional headers to provide further transparency.

To ensure Marketplace partners are able to decipher whether or not they’re facing actual rate limits, we have rolled out beta- prefixed headers. These will appear to notify partners that they would have breached the upcoming quota and burst based rate limits. The headers will be as follows:

• Beta-Retry-After

• X-Beta-RateLimit-NearLimit

• X-Beta-RateLimit-Reason

• X-Beta-RateLimit-Reset

However, if you do receive headers without beta-, be advised that you are facing rate limits.

To enhance the performance and scalability of the Atlassian cloud platform, we have introduced a new events polling endpoint for retrieval of events in a simple, paginated manner with time-based filtering only.

For more advanced filtering use the existing events API endpoint.

To improve performance and address constantly evolving threats on the web, Atlassian is enabling AWS Cloudfront Content Delivery Network (CDN) and Web Application Firewall (WAF) for all Confluence and Jira Cloud Customers.

This rollout will occur over the next few months, country by country, progressively, with each country taking around 1-2 weeks to complete the migration.

This improvement may unfortunately impact some Jira and Confluence Cloud API integrations (like those written in Python, Node/JS, Java, libcurl, Axios, atlassian-connect-express etc) that attempt to make requests with URLs (including path and query string) longer than 8192 characters/bytes.

Where previously Jira and Confluence Cloud APIs handled paths longer than 8192 characters/bytes, AWS Cloudfront will actively reject such requests:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html

The maximum length of this URL is 8192 bytes.

If a request or a URL exceeds these maximums, CloudFront returns HTTP status code 413, Request Entity Too Large, to the viewer, and then terminates the TCP connection to the viewer.

Unfortunately, it is not possible to configure Cloudfront to allow longer URLs.

Atlassian products such as Loom, Trello, Opsgenie, Statuspage etc already reject 8192 characters/bytes urls.

For resolution instructions see more details below.