Jira

More and more developers let AI CLI tools like Claude Code run commands, look things up, and tidy up afterwards right on their own development machines. Wiring that AI workflow into Jira makes it even more powerful: the AI can look up issues, update statuses, leave comments, and map commit messages back to tickets. The star of this post, go-jira (https://github.com/appleboy/go-jira), is a Jira CLI built for exactly this scenario. But there’s a security question that keeps getting underrated — how does the CLI authenticate to Jira?

The most common answer historically is a PAT (Personal Access Token). It’s simple, but on an AI development machine it carries two very real risks:

1. The AI can read it by accident. A PAT usually lives in .env, a shell rc file, or some config file. The moment you let an AI agent “freely explore the filesystem” on that machine, this long-lived token — which carries your full account permissions — can get pulled into the context, or even written out into some piece of output.
2. A file that lives forever is an exposure surface that lives forever. A PAT doesn’t rotate. Once leaked, it stays valid until you manually revoke it. We’ve all heard the stories: synced to the cloud, swept into a backup, accidentally committed into a repo.

That’s why “switching CLI auth from a PAT to Jira OAuth” has been pulled back into the spotlight lately. This post documents how the new go-jira uses OAuth Login + refresh tokens to tuck tokens into the operating system’s Keyring, so developers can obtain a token conveniently and store it safely — and so AI CLIs like Claude Code can interact with Jira in a much safer way.

Note: go-jira’s OAuth only supports Jira Data Center, not Jira Cloud (the two use different OAuth flows).

越來越多開發者習慣在自己的開發機上，讓 Claude Code 這類 AI CLI 工具幫忙跑指令、查資料、收尾善後。把這條 AI 工作流接到 Jira 之後，威力更大：AI 可以幫你查 issue、更新狀態、補留言、把 commit 訊息對應到工單。本文的主角 go-jira（https://github.com/appleboy/go-jira）正是為了這個場景打造的 Jira CLI。但這裡有一個一直被低估的安全議題——CLI 要怎麼跟 Jira 認證？

過去最常見的做法是 PAT（Personal Access Token）。它確實簡單，但放在 AI 開發機上有兩個很實際的風險：

1. AI 可能不小心讀到它：PAT 通常被塞在 .env、shell rc、或某個設定檔裡。當你讓 AI agent 在這台機器上「自由探索檔案」時，這顆等同你帳號權限的長期 token 很可能就被讀進 context、甚至被寫進某段輸出裡。
2. 以檔案形式長期存在 = 長期暴露面：PAT 不會自動輪替，一旦外洩，在你手動撤銷之前它都是有效的。檔案被同步到雲端、被備份、被誤 commit 進 repo 的故事，大家都聽過。

所以「把 CLI 認證從 PAT 換成 Jira OAuth」這件事，最近被重新拉出來重視。這篇文章記錄 go-jira 新版本如何用 OAuth Login + Refresh Token 把 token 收進作業系統的 Keyring，讓開發者很方便地拿到、並且安全地保存 token，進而讓 Claude Code 等 AI CLI 能以更安全的方式跟 Jira 互動。

注意：go-jira 的 OAuth 只支援 Jira Data Center，不支援 Jira Cloud（兩者是不同的 OAuth 流程）。

Before diving in, let’s familiarize ourselves with Gitea and Jira. For better context, I recommend reading “Git Software Development Guide: Key to Improving Team Collaboration” first.

Gitea is a lightweight self-hosted Git server written in Go, providing teams with an easily deployable code management solution. It supports multiple operating systems including Linux, Windows, and macOS, while offering comprehensive features for code review, issue tracking, and Wiki management—all essential tools for enhancing team collaboration.

Jira is Atlassian’s professional project management and issue tracking system. Widely adopted by software development teams worldwide, Jira excels in issue tracking, supports agile methodologies (including Scrum and Kanban), and provides robust data analytics capabilities to optimize project management and team collaboration.

在開始本文前，讓我們先來了解 Gitea 和 Jira 這兩個工具。建議您可以先閱讀『Git 軟體開發指南：提高團隊協作的關鍵』，以更好地理解後續內容。

Gitea 是一套以 Go 語言開發的輕量級自架式 Git 伺服器，為團隊提供了便於部署的程式碼管理方案。系統除了支援 Linux、Windows 和 macOS 等多種作業系統外，還具備完善的程式碼審查、問題追蹤和 Wiki 等功能，能大幅提升團隊的協作開發效率。

Jira 是 Atlassian 公司開發的專業級專案管理與問題追蹤系統。作為軟體開發團隊廣泛採用的工具，Jira 不僅提供完整的問題追蹤功能，還支援敏捷開發流程（如 Scrum 和 Kanban）以及豐富的數據分析功能，有效協助團隊管理專案進度並提升協作品質。