The Jira app provides read/write access to Atlassian Jira Cloud through the official REST API v3 (platform) and Agile 1.0 (Jira Software). It can be consumed two ways: as a remote MCP server that Agent Factory agents call as tools, or as a Builder app whose instructions you call directly from DSUL. The MCP surface groups every operation into seven entity tools (issues, search, projects, users, metadata, agile, attachments), each driven by an action argument, and runs in the tenant app-instance context (it resolves the installing workspace’s own credentials and gates which agents may call it). Authentication is per-user and supports several modes:
- Per-user OAuth2 — central client (
oauthCentral, recommended) — one Atlassian 3LO OAuth app is registered once by the platform maintainer; every end user signs in with their own Atlassian account. Nothing to register per tenant: each workspace just installs the app and clicks Connect. - Per-user OAuth2 — tenant client (
oauth) — paste your own Atlassian OAuth client ID/secret in the connector config app. Each user signs in with their own account against your client (PKCE authorization-code, 3LO). - API token — HTTP Basic (
apiToken) — an Atlassian account email + API token + your*.atlassian.netsite. A single shared service identity, no interactive sign-in. - Direct access token (
accessToken) — a caller-managed Atlassian access token, used as-is with no exchange.
Issues & workflow
Projects & metadata
Per-user Atlassian OAuth
Who is this for?
This connector is used by three different roles. Jump to the section that matches yours — each one is self-contained.Agent builder
Platform admin
Workspace builder
Prerequisites (Atlassian side)
- An Atlassian Jira Cloud site (
https://yoursite.atlassian.net) and an account with permission on the projects you intend to use. - For the OAuth modes: an OAuth 2.0 (3LO) app registered in the Atlassian Developer Console, with the Jira platform REST API added and the scopes below granted. For the
apiTokenmode instead: an Atlassian account email + an API token generated at Atlassian API Tokens. - The base URL is resolved automatically: OAuth modes call
https://api.atlassian.com/ex/jira/{cloudId}(thecloudIdis discovered from the granted site); theapiTokenmode callshttps://{site}.atlassian.netdirectly.
Platform admin (Governance) — one-time platform setup
Platform admin (Governance) — one-time platform setup
1. Configure the connector
Register the OAuth 2.0 (3LO) app at Atlassian
https://api.studio.prisme.ai/v2/workspaces/slug:jira-next/webhooks/oauthCallback on production — <api-url> is the production API URL. Copy the exact URI from the connector’s configuration app, which renders it for you.) Then under Permissions, add the Jira platform REST API and enable the scopes listed in Prerequisites. Note the Client ID and Secret from Settings.Choose classic or granular scopes — and decide about Agile
read:jira-work, write:jira-work, read:jira-user, manage:jira-project, manage:jira-configuration) do not appear in the granular list and cannot be mixed with granular Jira Software scopes on the same token.- For the 36 platform operations (issues, search, projects, users, metadata, attachments) — keep the classic scope set above. Simple, recommended.
- To additionally enable the
agiletool (boards / sprints / backlog) — you must migrate the app to a fully-granular set (every platform scope plusread:board-scope:jira-software,write:board-scope:jira-software,read:sprint:jira-software,write:sprint:jira-software), because the Agile API rejects a token that also carries any classic scope. This is verbose (~30-40 scopes) and is the only way to use Agile.
Enter the credentials through the configuration app
jira-next workspace and launch its Configuration app — <studio>/apps/jira-next (e.g. https://studio.prisme.ai/apps/jira-next), also linked as Configuration app on the installed instance. Switch to the maintainer view and follow the in-app instructions to paste the Client ID, Client Secret and the Scopes — the app stores them in the core workspace’s secrets for you. Do not edit Studio’s raw Secrets by hand. These credentials stay in the jira-next workspace and are never exposed to tenants or end users; token exchange is proxied through the core centralTokenExchange webhook so the client secret never leaves the core workspace.2. Declare the capability in AI Governance
Generic connectors — broad tool surfaces meant to be shared across many agents, like Jira — are best exposed as a named capability in AI Governance. Agent builders then enable that capability on their agents instead of pasting a raw MCP endpoint.Point it at the MCP endpoint
agent_id in the scope is what lets the connector identify and authorize the calling agent.Make it available to agent builders
- Agent builder (Agent Factory)
- Workspace builder (DSUL)
Agent builder
Goal: let an agent you build in Agent Factory read and act on Jira through MCP tools.agent_id that Agent Factory injects through the capability Scope, and that agent must appear in the connector’s authorized-agents allowlist (managed in the configuration app). The Atlassian token itself is resolved server-side from the configured auth mode.There are two ways to wire it up. Pick based on how much isolation you need.Option A — Enable the shared capability from the catalog
The fastest path: a Platform admin has already published a Jira capability (see the Platform admin setup accordion above, §2), so you just pick it from the catalog.Open your agent in Agent Factory
Add the Jira capability
context_id,agent_id,user_id) are already wired by the admin — nothing to paste, and the shared instance accepts every agent, so there is no allowlist step on your side.Option B — Run it from your own workspace (recommended)
For production agents, install the connector in your own workspace and point the agent at that workspace’s MCP endpoint.Install and configure the connector in your workspace
Allowlist your agent
Add the MCP capability to your agent
agent_id is what lets the connector identify and authorize your agent — without it, every call is rejected with an explicit “agent could not be identified” message. This Scope is separate from the Atlassian OAuth scopes.Brief the agent in its system prompt
Whichever option you pick, wiring the capability is not enough — the agent must know the MCP exists and when to use it. Copy-pasteable starter:agent_id.write:jira-work, manage:jira-project and manage:jira-configuration.) With central OAuth (oauthCentral) you do not create your own Atlassian client — keep oauthCentral and just enter the read-only scopes; your tenant scope overrides the platform default (the central app must expose those read scopes). Write calls are then rejected by Atlassian with 403. Note this is set at the workspace level — a workspace editor can widen it again; a provider-side restriction (a read-only Atlassian account/permission scheme) is the only hard guarantee. For the apiToken mode, restrict at the provider instead by backing the connection with a Jira account that has read-only project permissions.Available Tools
Each tool takes anaction argument selecting the concrete operation, plus the per-action parameters.| Tool | Description |
|---|---|
issues | Jira issues (REST v3). Actions: get, create, update, delete, assign, getTransitions, doTransition, getComments, addComment, getEditMeta. Rich text uses ADF; users by accountId. |
search | Search issues with JQL (POST /rest/api/3/search/jql). Action: jql. Token-based pagination via nextPageToken. |
projects | Jira projects. Actions: list, get, components, versions, statuses. |
users | Jira users (identified by accountId). Actions: search, get, myself, assignable. |
metadata | Discover fields, types and create metadata. Actions: fields, issuetypes, priorities, statuses, createmeta, createmetaFields. |
agile | Jira Software boards, sprints & backlog (Agile 1.0). Actions: boards, getBoard, boardIssues, sprints, getSprint, sprintIssues, backlog. Requires a fully-granular Jira Software OAuth setup (see Prerequisites). |
attachments | Issue attachments. Actions: getMeta, delete (add is not available inline — upload binaries via Jira directly). |
Output Formats
Every tool accepts anoutputFormat argument that controls the MCP response shape:verbose(default) — human-readable text optimized for LLM consumptionstructured— machine-readable JSON instructuredContentboth— both the text and the structured content
Tool Details
search
| Parameter | Required | Description |
|---|---|---|
action | Yes | jql. |
body | Yes | Search request { jql, maxResults (≤100), nextPageToken, fields: [..], expand }. Always pass fields to limit the payload. |
body.nextPageToken | No | Cursor from a previous response to fetch the next page (the legacy startAt is not used here). |
issues
| Parameter | Required | Description |
|---|---|---|
action | Yes | One of get, create, update, delete, assign, getTransitions, doTransition, getComments, addComment, getEditMeta. |
issueIdOrKey | For everything but create | Issue id or key, e.g. DEV-123. |
body | For create/update/assign/doTransition/addComment | Jira v3 JSON body. Create/update use { fields } (or { update }); assign { accountId }; doTransition { transition: { id } }; addComment { body: <ADF doc> }. |
fields | No | fields query param (comma-separated list, or *all) for get. |
deleteSubtasks | No | delete only — "true" to delete subtasks. |
metadata
| Parameter | Required | Description |
|---|---|---|
action | Yes | One of fields, issuetypes, priorities, statuses, createmeta, createmetaFields. |
projectIdOrKey | For createmeta/createmetaFields | Project id or key. |
issueTypeId | For createmetaFields | Issue type id (from createmeta). |
customfield_…) with metadata fields, then confirm it is on the create screen for that project + issue type with createmeta → createmetaFields before passing it in issues create/update.agile
| Parameter | Required | Description |
|---|---|---|
action | Yes | One of boards, getBoard, boardIssues, sprints, getSprint, sprintIssues, backlog. |
boardId | For getBoard/boardIssues/sprints/backlog | Agile board id. |
sprintId | For getSprint/sprintIssues | Sprint id. |
state | No | sprints only — future, active or closed. |
jql / fields | No | Optional JQL filter and comma-separated field list (boardIssues, sprintIssues, backlog). |
users
| Parameter | Required | Description |
|---|---|---|
action | Yes | One of search, get, myself, assignable. |
query | For search/assignable | Name or email fragment. |
accountId | For get | Atlassian accountId. |
project / issueKey | For assignable | Scope assignable users to a project or issue. |
accountId (not username) in every issue body — myself returns the connected user’s own accountId.Error Handling
| HTTP code | Meaning |
|---|---|
400 | Bad request — invalid JQL, malformed body, or a field value Jira cannot parse. |
401 | Unauthorized — the Atlassian token is missing, expired or revoked. The user must reconnect (OAuth modes). |
403 | Forbidden — insufficient OAuth scope (e.g. a write with read-only scopes), or the account lacks permission on the project. |
404 | Not found — the issue, project, board, sprint or attachment id does not exist or is not visible to the account. |
422 | Unprocessable — a required field is missing or invalid; resolve field ids with metadata fields / createmetaFields. |
429 | Rate limit — back off and retry. |
500 / 503 | Atlassian service error — transient; retry shortly, no reconnection needed. |
Common Issues
“This agent is not authorized to use this connector” — The calling agent is not in the allowlist. Open the configuration app → Authorized agents → tick this agent (or enable Allow all agents) and Save. “The calling agent could not be identified” — The MCP capability Scope does not declareagent_id, so Agent Factory never injects the agent identity. Set the Scope to context_id,agent_id,user_id on the capability, then allow the agent in the config app.
“Jira is not connected for this user” — No per-user OAuth token. Open the configuration app (OAuth mode) and click Connect, or use the agent’s connect flow.
“token refresh failed … must reconnect” — The stored refresh token was revoked or expired (Atlassian invalidated it). The connection is dropped automatically; the user must reconnect from the config app.
“OAuth is not configured” — Neither a tenant Atlassian client nor the central platform client is available. Set the OAuth client ID/secret in the config app, or ask the platform maintainer to provision the central OAuth client.
Agile call fails with “scope does not match” — The agile tool needs a fully-granular Jira Software OAuth app; it cannot run on a token that carries classic scopes. Either migrate the Atlassian app (and the connector Scopes field) to the fully-granular set, or avoid the agile operations. This is an Atlassian platform limitation (classic and granular Jira Software scopes are mutually exclusive on a token).