// documentation

Secret Notes
Docs.

How to create, reveal, restrict, revoke, and troubleshoot secret notes in Jira and Jira Service Management.

Overview

Secret Notes for Jira & JSM lets users create sensitive notes on Jira issues and Jira Service Management requests without putting plaintext secrets into comments, fields, or request replies.

Use it for temporary passwords, access tokens, certificate passphrases, private operational handoff notes, or similar sensitive content that needs to stay linked to work in Jira/JSM.

Where to find it

  • Jira: open an issue and use the Secret Notes issue panel.
  • Jira Service Management: open a portal request and use the Secret Notes request detail panel.
Screenshots will be added here after the Marketplace UI is finalized.

Create a secret note

  1. Open the relevant Jira issue or JSM request.
  2. Open the Secret Notes panel.
  3. Enter a clear note title, such as “Temporary VPN password” or “Vendor certificate passphrase”.
  4. Paste or type the secret content.
  5. Choose who can reveal the note.
  6. Choose an expiry policy.
  7. Create the note.

Note titles help users identify what a note is for. The secret content itself is stored separately in the Forge Secret Store.

Access modes

Anyone with app access

Default mode. In Jira, this means signed-in users who can access the issue and app. In JSM, the relevant request audience can be considered depending on reporter/participant/agent context.

Internal only

Limits reveal access to internal licensed users and admins. Useful when portal customers should not reveal the note.

Restricted

Choose specific users and/or groups that may reveal the note.

Expiry policies

Read once

The note self-destructs after the first successful reveal. Read-once notes require confirmation before reveal.

24 hours

The note remains revealable for 24 hours, then expires.

7 days

The note remains revealable for 7 days, then expires.

No expiry

The note remains until revoked manually. As a defense-in-depth backstop, the secret-store payload still has a maximum platform TTL of 365 days.

Reveal a note

  1. Open the Secret Notes panel on the issue or request.
  2. Find the note you need.
  3. Click Reveal.
  4. For read-once notes, confirm that you understand the note will self-destruct after reveal.
  5. Use Hide when you no longer need the plaintext on screen.

If you copy a revealed secret, it enters your operating-system clipboard. Clear your clipboard when you are done, especially if you use clipboard history or sync tools.

Revoke a note

Creators and Jira/site admins can revoke notes. A revoked note cannot be revealed again.

Use revoke when a secret should no longer be available, when the wrong audience was selected, or when the secret has been rotated elsewhere.

Audit trail

Secret Notes keeps a metadata-only audit trail. Audit events do not include secret plaintext.

  • created
  • reveal attempted
  • revealed
  • expired
  • revoked

The creator can see audit history for their own notes. Jira/site admins can view audit history from the Jira issue panel for investigation.

Limits

Secret payload
10 KB maximum
Notes per issue/request
20 maximum
Reveal attempts
20 per actor per note
Restricted users/groups
50 users and 50 groups maximum per note
Audit events
100 retained per note
Secret Store TTL backstop
365 days maximum

Troubleshooting

I cannot reveal a note.

You may not be in the note's reveal audience, the note may be expired/revoked/self-destructed, or your Jira/JSM account may not have access to the issue/request context.

A read-once note says self-destructed.

The note has already been successfully revealed once. Read-once notes cannot be revealed again.

A note disappeared from the revealable list.

It may have expired, been revoked, or self-destructed after a read-once reveal. Metadata may still be visible where audit/history access is allowed.

A portal customer cannot see a note.

The note may be internal-only, restricted to specific users/groups, or the app may not be able to verify that the customer is part of the request audience.

I copied a secret. What should I do?

Paste it only where intended, then clear your clipboard if your operating system or tools keep clipboard history.

Need help?

For support, bugs, privacy questions, or Marketplace review questions, open a support ticket.