The Atlassian Rovo MCP Server uses OAuth 2.1 as its primary authentication mechanism, providing a secure and standardized way for users to authorize access to resources via an interactive consent flow.
In addition, if enabled by your organization admin, the server supports authentication via API token for machine-to-machine and other non-interactive scenarios - for example, backend services, CI/CD pipelines, bots, and automated agents. Authentication via API token lets MCP clients authenticate without a browser-based OAuth consent screen.
Regardless of the method, every action respects the authenticated user's existing access controls and permissions. Access is granted only to data the user already has permission to view, and OAuth and API token authentication both honor configured scopes and Atlassian permissions.
| Method | Best for |
|---|---|
| OAuth 2.1 | Interactive, user-driven scenarios. This is the recommended option. |
| API token | Non-interactive or machine-to-machine use cases only. |
We recommend using authentication via API token only for non-interactive or machine-to-machine use cases. For interactive scenarios, use OAuth 2.1.
If your organization admin has disabled authentication via API token, MCP clients won't be able to connect using a token and will need to use OAuth 2.1 instead. Some tool sets (such as Jira Service Management and Bitbucket Cloud) are only available via API token authentication, so admin enablement is required to use them.
MCP clients can perform actions across connected products with your existing permissions. Use least privilege, review high-impact changes before confirming, and monitor audit logs for unusual activity.
Rate this page: