Agentic Data Plane
beta

Jira Managed MCP Server

The Jira managed MCP server lets agents search, read, and manage Jira issues. It authenticates with either a shared API token (Basic authentication) or, for per-user identity, user-delegated OAuth. With OAuth it’s the enterprise counterpart to the Slack setup guide, and Atlassian’s flow has its own scope model and quirks worth calling out.

After reading this page, you will be able to:

  • Configure the Jira managed MCP server with Basic authentication or Atlassian’s OAuth flow

  • Pick the right scopes for the tools your agents use

  • Walk a user through the consent flow and verify the connection

What this MCP server does

The Jira managed type exposes the following read tools:

  • query: Search for issues using a JQL query. Returns the matching issues as JSON.

  • get_issue: Retrieve a single issue by its key, for example PROJ-123.

  • list_projects: Return visible Jira projects, optionally filtered by a search query.

  • get_transitions: Return the available workflow transitions for an issue.

It also exposes the following write tools:

  • create_issue: Create a new issue.

  • update_issue: Update fields on an existing issue.

  • transition_issue: Move an issue to a new workflow state.

  • add_comment: Add a comment to an issue.

  • add_worklog: Log time spent on an issue.

  • create_issue_link: Create a directional link between two issues.

Prerequisites

  • A Jira (Atlassian Cloud) site and its base URL, for example https://mycompany.atlassian.net.

  • Credentials for one of the following authentication modes:

    • Basic auth: An Atlassian account email and an API token from id.atlassian.com, with the token stored in the Redpanda ADP secret store.

    • User-delegated OAuth: An Atlassian OAuth 2.0 (3LO) app registered against https://api.atlassian.com, plus an OAuth Provider in Redpanda ADP configured for Atlassian’s authorize/token URLs and carrying the app’s client credentials. See Configure User-Delegated OAuth.

Atlassian’s scope model (user-delegated OAuth)

When you use user-delegated OAuth, Atlassian uses a granular, prefixed scope namespace. The tools need:

Scope Allows

read:jira-user

Read user profile.

read:jira-work

Read issues, projects, sprints, and so on. Required by the read tools.

write:jira-work

Create and update issues, transitions, comments, and worklogs. Required by the write tools.

offline_access

Issue a refresh token so Redpanda can refresh expired access tokens. Required for any long-lived MCP server: without it, tokens expire after one hour and users re-consent every time.
Always include offline_access in required_scopes. Without it, OAuthTokenExpired will hit users every hour.

Configure

  1. Open MCP Servers > Create Server.

  2. Pick Jira from the marketplace picker.

  3. Fill in identity fields (name, description).

  4. In the Jira configuration form:

    • Base URL: Your Jira instance URL, for example https://mycompany.atlassian.net.

    • Max results per page (optional): Page size for paginated queries. Defaults to 50.

    • Auth: Choose Basic auth or User-delegated OAuth.

      • For Basic auth: Provide the account email and the API-token secret reference.

      • For User-delegated OAuth: Pick the Atlassian OAuth Provider you configured, and set Required scopes to at least read:jira-user, read:jira-work, and offline_access. Add write:jira-work if your agents use the write tools.

  5. Click Create.

  1. Open the Inspector tab.

  2. Run an issue-search tool with a small JQL filter.

  3. The first call returns OAuthConnectionRequired with an Atlassian authorize_url. The Inspector surfaces it as a consent prompt.

  4. Click Authorize. Atlassian asks you to pick a site (Cloud instance) and approve scopes.

  5. Atlassian redirects back. Your connection appears under Connections with a site label.

  6. Re-run the search; results come back.

Use with agents

Point an agent at the API URL on the server’s detail page. Each user calling the agent will trigger their own consent flow on first call.

With user-delegated OAuth, define the server’s required_scopes to include every scope the tools need: Atlassian doesn’t allow per-tool scope upgrades, so the user consents once with the full set.

Troubleshooting

Symptom What to check

OAuthTokenExpired after about an hour

offline_access wasn’t in required_scopes at consent time. Update the server config and have users re-consent.

"Resource not found" for a project the user has access to

Atlassian’s OAuth grants are site-scoped. The user authorized for one Cloud instance; the project lives on another. They need to re-consent with the second site.

scope_upgrade_required after widening scopes

You added a scope to required_scopes after users had already consented. Users re-consent with the higher scope.

invalid_grant during refresh

Refresh tokens expire if unused for ~90 days. The user re-consents.

Limitations

  • Atlassian app management: The OAuth app and its callback URLs are managed in developer.atlassian.com, not in ADP.

  • Jira Server / Data Center (self-hosted): This MCP type targets Atlassian Cloud. Self-hosted Jira may need a self-managed MCP server instead. See Register a self-managed MCP server.

  • Confluence access: Separate scope namespace; not exposed by this MCP server.

Next steps