Atlassian API Token
Detects Atlassian API tokens (ATATT3 prefix), used for Jira, Confluence and other Atlassian Cloud REST APIs. A leaked token grants the associated user's access to projects, issues, wiki content and attachments.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the distinctive ATATT3 prefix combined with a fixed 186-character base64url body makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9])ATATT3[A-Za-z0-9_=-]{186}(?![A-Za-z0-9])Corroborative evidence keywords
atlassian, jira, confluence, api token, api_token, ATLASSIAN_API_TOKEN, basic auth
Proximity: 300 characters
Should match
ATATT3ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789— Atlassian API token, ATATT3 prefix + 186 charsATLASSIAN_API_TOKEN=ATATT3ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789— Labelled Atlassian token in an env assignmentATATT3ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456_-=— Mixed-case Atlassian token with - _ = in body
Should not match
ATATT3ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij— Body far too short to be a valid Atlassian tokenATATT2ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789— Wrong prefix marker (ATATT2 not ATATT3)rotate the atlassian jira api token in confluence settings— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder ATATT3 strings. Mitigation: Require corroborative keywords and check for placeholder markers (example, xxxx).