Atlassian JWT (Server version)

Atlassian JWT is a library for authenticating requests containing JWTs (JSON Web Tokens) in the query string or Authorization header. It is based on the 11th draft of the JSON Web Token IETF memo by the OAuth Working Group.

See the JWT draft for more information on making JWT authenticated requests.

Note to Atlassian developers: This is the Atlassian Server version of the library. As of February 2019, Cloud products still use the library but intend to fork when changes are required.

How do I..

Build atlassian-jwt

Run mvn clean install from the root directory. (Append -DskipTests if you want to skip the tests.)

Run atlassian-jwt in an Atlassian product

Build atlassian-jwt, install the Atlassian SDK, then run atlas-debug -Dproduct=jira from the /plugin directory.

Project modules


The collection of interfaces and utility classes that form the stable API of atlassian-jwt.


The reference implementation of jwt-api.

A set of services for issuing and verifying JWTs to/from applications linked via application-links.


An Atlassian plugin that bundles jwt-api, jwt-core and jwt-applinks modules.


An Atlassian plugin that is deployed alongside jwt-test-plugin to expose test functionality needed by the jwt-integration-tests module.

This module should never be deployed in production.


A light-weight Jetty application and set of test classes that run against an Atlassian application.

Supported Signing Algorithms

Atlassian JWT supports the following JWA signing algorithms:

Deployment environments

Atlassian products

Atlassian products should add the jwt-plugin as a bundled plugin.

Optionally, an Atlassian product may include the jwt-api, jwt-core and jwt-applinks libraries in their WEB-INF/lib directory and look up the implementations provided by jwt-plugin via OSGi. In this way JWT services may be used from the product core.

3rd party applications

Since atlassian-applinks is non-trivial to implement, 3rd party applications should embed only the jwt-api and jwt-core libraries. The integration-tests module contains an example Jetty application that embed jwt-api and jwt-core as a reference.

Upgrade notes


Added a new SPI, JwtIssuerClaimVerifiersRegistry that allows issuers to provide their own claim verifiers. The default still verifies the qsh claim but issuers are now able to verify custom claims.


Upgraded to Atlassian's Java platform 5 in order to support Java 11.


This version switched to Nimbus JOSE JWT 4.x which among other changes has enforced requirements on the minimal secret key length of 256 bits.


Build and release plan is located at