Skip to content

How to Fix Jira OAuth (Atlassian) Token Expired or Invalid

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Fix Jira OAuth (Atlassian) Token Expired or Invalid. We cover key concepts, practical examples, and best practices.

Jira Cloud uses OAuth 2.0 (Atlassian API tokens) for authentication. When your API requests return 401 Unauthorized or 403 Forbidden, the access token has expired, the token does not have the required scopes, or the refresh token flow was not implemented correctly.

The Problem

Your application calls the Jira REST API and receives:

HTTP 401: "Unauthorized - The authentication credentials are missing or invalid"
HTTP 403: "Forbidden - Your account does not have the required permissions"

Wrong approach — generating a new API token manually every time.

The Fix

For API token authentication (simplest approach):

1. Go to https://id.atlassian.com/manage/api-tokens
2. Create a new API token
3. Use it as Basic Auth: base64("email:api_token")
4. Authorization: Basic <base64_encoded>

For OAuth 2.0 (3LO) with refresh tokens:

1. Request authorization: GET /authorize?response_type=code&scope=read:jira-user
2. Exchange code for tokens: POST /oauth/token { grant_type: authorization_code, code }
3. Store the refresh_token securely
4. When access_token expires (3600s), use refresh_token:
   POST /oauth/token { grant_type: refresh_token, refresh_token }

Check token scopes:

Verify the token has read:jira-user, read:jira-work, or manage:jira-project
If scopes were granted for read-only, write operations will fail with 403

Expected output:

API requests return 200 with valid data
Access tokens refresh automatically when expired
No 401 or 403 errors for authorized scopes

Prevention Tips

  • Use API tokens for server-to-server integrations — they do not expire until revoked
  • Implement refresh token rotation for OAuth 2.0 3LO flows
  • Store tokens securely in environment variables or a secrets manager
  • Token scopes are additive — request only what your integration needs
  • Monitor token expiry in logs to detect refresh failures early

Common Mistakes with oauth atlassian

  1. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  2. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  3. Using head and tail instead of pattern matching, causing runtime errors on empty lists

These mistakes appear frequently in real-world JIRA code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### How long does an Atlassian OAuth access token last?

Access tokens expire after 1 hour (3600 seconds). Refresh tokens last 30 days. If the refresh token is not used for 30 days, it expires and the user must re-authorize. Implement token refresh well before the expiry to avoid disruption.

What is the difference between an API token and an OAuth access token?

An API token is a static token you create manually in your Atlassian account settings. It does not expire until revoked. An OAuth access token is time-limited (1 hour) and obtained through the OAuth 2.0 authorization flow. API tokens are simpler for automation.

Can I use OAuth 2.0 for machine-to-machine communication?

Yes, use the OAuth 2.0 client credentials grant (Jira Data Center/Server) or an API token (Jira Cloud). The client credentials flow does not require user interaction and is suitable for backend services that need Jira access.

Related: DodaTech's OAuth Token Manager stores, refreshes, and rotates Atlassian OAuth tokens automatically, with expiration alerts and audit logging for compliance. Use with DodaZIP for secure credential storage.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro