Overview
Secret Notes for Jira & JSM lets users create sensitive notes on Jira issues and Jira Service Management requests without putting plaintext secrets into comments, fields, or request replies.
Use it for temporary passwords, access tokens, certificate passphrases, private operational handoff notes, or similar sensitive content that needs to stay linked to work in Jira/JSM.
Where to find it
- Jira: open an issue and use the Secret Notes issue panel.
- Jira Service Management: open a portal request and use the Secret Notes request detail panel.
Create a secret note
- Open the relevant Jira issue or JSM request.
- Open the Secret Notes panel.
- Enter a clear note title, such as “Temporary VPN password” or “Vendor certificate passphrase”.
- Paste or type the secret content.
- Choose who can reveal the note.
- Choose an expiry policy.
- Create the note.
Note titles help users identify what a note is for. The secret content itself is stored separately in the Forge Secret Store.
Access modes
Default mode. In Jira, this means signed-in users who can access the issue and app. In JSM, the relevant request audience can be considered depending on reporter/participant/agent context.
Limits reveal access to internal licensed users and admins. Useful when portal customers should not reveal the note.
Choose specific users and/or groups that may reveal the note.
Expiry policies
The note self-destructs after the first successful reveal. Read-once notes require confirmation before reveal.
The note remains revealable for 24 hours, then expires.
The note remains revealable for 7 days, then expires.
The note remains until revoked manually. As a defense-in-depth backstop, the secret-store payload still has a maximum platform TTL of 365 days.
Reveal a note
- Open the Secret Notes panel on the issue or request.
- Find the note you need.
- Click Reveal.
- For read-once notes, confirm that you understand the note will self-destruct after reveal.
- Use Hide when you no longer need the plaintext on screen.
If you copy a revealed secret, it enters your operating-system clipboard. Clear your clipboard when you are done, especially if you use clipboard history or sync tools.
Revoke a note
Creators and Jira/site admins can revoke notes. A revoked note cannot be revealed again.
Use revoke when a secret should no longer be available, when the wrong audience was selected, or when the secret has been rotated elsewhere.
Audit trail
Secret Notes keeps a metadata-only audit trail. Audit events do not include secret plaintext.
- created
- reveal attempted
- revealed
- expired
- revoked
The creator can see audit history for their own notes. Jira/site admins can view audit history from the Jira issue panel for investigation.
Limits
- Secret payload
- 10 KB maximum
- Notes per issue/request
- 20 maximum
- Reveal attempts
- 20 per actor per note
- Restricted users/groups
- 50 users and 50 groups maximum per note
- Audit events
- 100 retained per note
- Secret Store TTL backstop
- 365 days maximum
Troubleshooting
I cannot reveal a note.
You may not be in the note's reveal audience, the note may be expired/revoked/self-destructed, or your Jira/JSM account may not have access to the issue/request context.
A read-once note says self-destructed.
The note has already been successfully revealed once. Read-once notes cannot be revealed again.
A note disappeared from the revealable list.
It may have expired, been revoked, or self-destructed after a read-once reveal. Metadata may still be visible where audit/history access is allowed.
A portal customer cannot see a note.
The note may be internal-only, restricted to specific users/groups, or the app may not be able to verify that the customer is part of the request audience.
I copied a secret. What should I do?
Paste it only where intended, then clear your clipboard if your operating system or tools keep clipboard history.
Need help?
For support, bugs, privacy questions, or Marketplace review questions, open a support ticket.