Skip to content
This repository was archived by the owner on Feb 6, 2026. It is now read-only.
This repository was archived by the owner on Feb 6, 2026. It is now read-only.

Add ATLASSIAN_API_TOKEN support and document secure storage options #16

Closed as not planned
Closed as not planned
Add ATLASSIAN_API_TOKEN support and document secure storage options#16
@rianjs

Description

@rianjs
rianjs
opened on Jan 20, 2026

Summary

Enhance credential handling with:

  1. Support for shared ATLASSIAN_API_TOKEN env var (same token works for Jira and Confluence)
  2. Documentation for secure token storage methods in README
  3. Document the credential resolution order

Current Behavior (Good!)

jira-ticket-cli already correctly prioritizes env vars over config file (internal/config/config.go):

func GetAPIToken() string {
    if v := os.Getenv("JIRA_API_TOKEN"); v != "" {
        return v
    }
    cfg, err := Load()
    // ... fall back to config file
}

Current env vars: JIRA_DOMAIN, JIRA_EMAIL, JIRA_API_TOKEN

Proposed Changes

1. Add ATLASSIAN_API_TOKEN as fallback

Since Jira and Confluence use the same Atlassian API token, support a shared env var:

func GetAPIToken() string {
    if v := os.Getenv("JIRA_API_TOKEN"); v != "" {
        return v
    }
    if v := os.Getenv("ATLASSIAN_API_TOKEN"); v != "" {  // NEW
        return v
    }
    cfg, err := Load()
    // ... fall back to config file
}

This allows users to set one env var for both jira-ticket-cli and cfl (confluence-cli).

2. Document secure storage in README

Add a "Secure Token Storage" section:

## Secure Token Storage

Your API token is sensitive. Rather than storing it in a config file, we recommend 
using environment variables with a secret manager:

### 1Password CLI (Recommended)

```bash
# In your .zshrc or .bashrc
export ATLASSIAN_API_TOKEN="$(op read 'op://Vault/Atlassian API Token/password')"

# Or create a wrapper function for lazy loading
jira-ticket-cli() {
  export ATLASSIAN_API_TOKEN="$(op read 'op://Vault/Atlassian API Token/password')"
  command jira-ticket-cli "$@"
}

macOS Keychain

# Store token
security add-generic-password -s "atlassian-api" -a "api_token" -w "your-token-here"

# Retrieve in shell config
export ATLASSIAN_API_TOKEN="$(security find-generic-password -s 'atlassian-api' -a 'api_token' -w)"

Windows Credential Manager

# Store (using PowerShell)
cmdkey /generic:atlassian-api /user:api_token /pass:your-token-here

# Retrieve (requires additional tooling or script)

Linux (secret-tool / libsecret)

# Store
secret-tool store --label="Atlassian API Token" service atlassian-api account api_token

# Retrieve
export ATLASSIAN_API_TOKEN="$(secret-tool lookup service atlassian-api account api_token)"

Credential Resolution Order

jira-ticket-cli checks for credentials in this order:

  1. JIRA_API_TOKEN environment variable
  2. ATLASSIAN_API_TOKEN environment variable (shared with cfl/confluence-cli)
  3. api_token in config file (~/.config/jira-ticket-cli/config.json)

Environment variables are preferred as they enable secure secret management
without storing credentials in plaintext files.


### 3. Enhance `config show` to display credential source

$ jira-ticket-cli config show
Domain: mycompany
Email: user@example.com
API Token: redacted (source: ATLASSIAN_API_TOKEN)


## Related

- open-cli-collective/confluence-cli#93 - Same changes for confluence-cli
- Aligns credential handling across open-cli-collective tools
- Follows 12-factor app principles

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions