Developer
News and Updates
Get Support
Sign in
Get Support
Sign in
DOCUMENTATION
Cloud
Data Center
Resources
Sign in
Sign in
DOCUMENTATION
Cloud
Data Center
Resources
Sign in
Last updated Jun 30, 2026

Authentication and authorization

The Atlassian Rovo MCP Server uses OAuth 2.1 as its primary authentication mechanism, providing a secure and standardized way for users to authorize access to resources via an interactive consent flow.

In addition, if enabled by your organization admin, the server supports authentication via API token for machine-to-machine and other non-interactive scenarios - for example, backend services, CI/CD pipelines, bots, and automated agents. Authentication via API token lets MCP clients authenticate without a browser-based OAuth consent screen.

Regardless of the method, every action respects the authenticated user's existing access controls and permissions. Access is granted only to data the user already has permission to view, and OAuth and API token authentication both honor configured scopes and Atlassian permissions.

Choosing an authentication method

MethodBest for
OAuth 2.1Interactive, user-driven scenarios. This is the recommended option.
API tokenNon-interactive or machine-to-machine use cases only.

We recommend using authentication via API token only for non-interactive or machine-to-machine use cases. For interactive scenarios, use OAuth 2.1.

Admin controls

If your organization admin has disabled authentication via API token, MCP clients won't be able to connect using a token and will need to use OAuth 2.1 instead. Some tool sets (such as Jira Service Management and Bitbucket Cloud) are only available via API token authentication, so admin enablement is required to use them.

Security best practices

MCP clients can perform actions across connected products with your existing permissions. Use least privilege, review high-impact changes before confirming, and monitor audit logs for unusual activity.

Next steps

Rate this page: