Adding Jira provisions a resource (the upstream Atlassian API at https://api.atlassian.com/ex/jira, with default scopes pre-set) and a provider for Atlassian’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Atlassian resource.
Your application calls Keycard’s token-exchange endpoint with the user’s identity, gets back a token scoped to this resource, and uses it to call Atlassian directly. Identity, policy, and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.
Scopes
Section titled “Scopes”OAuth permissions Keycard requests on install. Override or add scopes in Console.
- read:jira-work
- default
- read:jira-user
- default
- write:jira-work
- default
- manage:jira-project
- manage:jira-configuration
- manage:jira-webhook
Use Jira from your code
Section titled “Use Jira from your code”Call Jira from your application with a Keycard-issued token scoped to this resource.
After installing Jira, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a Jira token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://api.atlassian.com/ex/jira", )
# Call Jira directly with the exchanged token.r = requests.get( "https://api.atlassian.com/ex/jira/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://api.atlassian.com/ex/jira",});
// Call Jira directly with the exchanged token.const res = await fetch("https://api.atlassian.com/ex/jira/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Register your OAuth credentials with Keycard so the resource can issue tokens.
Create an Atlassian OAuth app
Section titled “Create an Atlassian OAuth app”- Go to the Atlassian Developer Console
- Click Create → OAuth 2.0 integration
- Enter a name for your integration
- Click Create
Configure Jira permissions
Section titled “Configure Jira permissions”- Go to Permissions in your app settings
- Find Jira and click Add
- Configure the scopes:
read:jira-work- Read Jira project and issue dataread:jira-user- Read user informationwrite:jira-work- Create and edit issues
Set the callback URL
Section titled “Set the callback URL”- Go to Authorization in your app settings
- Click Add next to OAuth 2.0 (3LO)
- Enter the redirect URI provided by Keycard as the Callback URL
Get credentials
Section titled “Get credentials”- Go to Settings in your app
- Note the Client ID and Secret
Register in Keycard
Section titled “Register in Keycard”- Open Keycard Console → your zone → Resources
- Click Explore Resources
- Find and click Jira in the catalog
- In the configuration dialog:
- If this is your first Atlassian resource, copy the Redirect URL and verify it’s set as the callback URL in your Atlassian OAuth app. Enter the Client ID and Secret from your app settings.
- Review the User scopes - the defaults (
read:jira-work,read:jira-user,write:jira-work) are pre-populated
- Click Add Jira API
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring Jira into your zone.
Empty accessible-resources response
The user hasn’t granted access to any Atlassian sites. During the OAuth consent flow, ensure you select at least one site. If re-authorizing, you may need to revoke and re-grant access.
Error 401: Unauthorized
The token is invalid or expired. Atlassian tokens expire after a short period. Reconnect the provider in Keycard Console - Keycard will handle the refresh if a refresh token was issued.
Error: consent_required
The app’s permissions were updated after the user last authorized it. The user needs to re-authorize to grant the new scopes. Remove the provider connection and connect again.
Related
Section titled “Related”- Catalog overview - browse other API and MCP servers
- Access policies - control who can use Jira
- Identity providers - control who can sign in