Cloud admin scopes for OAuth 2.0 (3LO), Forge apps, and API keys Scopes enable an app and API keys to request a level of access to an Atlassian product.
API scopes allow you to choose the actions an API key has permission to perform in your organization. You can set scopes for your API keys to view, write, and delete content.
Setting your app's scopes
Forge apps
The easiest way to set your app's scopes is to:
Update to the latest forge-cli packages.Run forge lint --fix
This process does not remove any redundant scopes from the manifest file, and these scopes need to
be removed manually.
If you want to set the scopes manually, you need to:
Review your app to determine all of the operations used.
Consult the Cloud Admin REST API documentation to
determine the scope needed for each operation and create a list of scopes.
Add the scopes required to the app's manifest file while remembering to remove any deprecated
scopes.
OAuth 2.0 apps
For OAuth 2.0 apps, you need to:
Review your app to determine all of the operations used.
Consult the Cloud Admin REST API documentation to
determine the scope needed for each operation and create a list of scopes.
Update the scopes required in the developer console.
Setting your API keys' scopes
For an API key, you need to:
Determine all the endpoints that you need to call using your API key.
Consult the Cloud Admin REST API documentation to determine the scope needed for each operation and create a list of scopes.
When you create your API key in Atlassian Administration, select scopes for the key to perform specific actions in your organization.
Available scopes
These scopes apply to OAuth apps, OAuth integrations, API keys and API tokens.
The title and description are displayed to the user on the consent screen during the authorization flow.
Scope name Summary Description read:classification-levels:adminRead classification levels Get all classification levels by orgId ,
Get a classification level read:domains:adminRead domains Domains APIs read:policies:adminRead policies Get single policy , Get list of policies , Validate a policy read:directories:adminRead directories Get directories in an org read:events:adminRead events Query audit log events , Poll audit log events , Get an event by ID , Get list of event actions read:workspaces:adminRead workspaces Get list of workspaces read:tokens:adminRead API keys and tokens Get all API tokens in an org , Get API token count in an org , Get API key count in an org , Get all API keys in an org read:service-accounts-tokens:adminRead service account tokens Get service account API token count in an org , Get all service account API tokens in an org write:classification-levels:adminWrite classification levels Create a new classification level , Edit a classification level , Publish classification level , Archive a data classification level , Restore a classification level , Reorder classification levels write:policies:adminWrite policies Create a new policy , Update single policy write:products:adminActivate products delete:policies:adminDelete policies Delete single policy delete:tokens:adminRevoke an API keys and tokens Revoke an API key for an org delete:service-accounts-tokens:adminDelete service account tokens Revoke all API tokens for a service account
Currently, scopes are not available for all endpoints. If the endpoint you want to use is not listed on the above table, you need to use an API key without scopes to access that endpoint.
To reduce security risk, you can only create API keys in Atlassian Administration. You're unable to create an API key with an API key because you can't use two-factor authentication.