Atlassian developer changelog

Forge SQL now inspects every query submitted by your app before it reaches the database. Queries that contain restricted functions, statements, or syntax are rejected with a new SQL_POLICY_VIOLATION error code before execution.

We’ve implemented this new policy to enforce the following:

• Stricter compliance with standard ANSI SQL syntax.

• Pre-emptive protection against SQL-based resource exhaustion and exploits.

• Stable, predictable performance across all Forge apps using SQL storage.

New error code: SQL_POLICY_VIOLATION

If your app submits a query that uses a restricted function or pattern, the @forge/sql package will return an error with a code, message, and suggestion field to help you resolve the violation.

Restricted functions and statements

The following are now monitored and may trigger rejection:

• Functions: SLEEP(), BENCHMARK(), COMPRESS(), UNCOMPRESS(), AES_ENCRYPT(), AES_DECRYPT(), SHA2()

• Statements: ALTER USER, LOCK TABLES, USE <table>

• Patterns: Unsupported optimizer hints, SET GLOBAL/SET INSTANCE, most SHOW statements, SQL-level PREPARE/EXECUTE/DEALLOCATE PREPARE, and multi-statement queries.

A subset of SET, SHOW, USE and optimizer hints remain permitted. See the SQL query policy documentation for the full allowlist.

What you need to do

• Review your queries: If your app uses any restricted functions or syntax patterns, those queries will now be rejected at runtime.

• Update error handling: Check for errorCodes.SQL_POLICY_VIOLATION alongside existing error codes to handle rejections gracefully.

If your app requires a restricted function for a valid use case, request an exemption through the Developer Support portal with your app.id, the query, and the use case.

Forge connectors built on the @forge/teamwork-graph SDK can now use Orchestration - a platform-managed scheduling and execution layer that runs background ingestion work without an external scheduler or cron.

We’re enhancing the jira:uiModifications module to support interactions with different user types in Jira.

Apps with UI Modifications that need to work for anonymous users must explicitly declare this in the app manifest using the unlicensedAccess attribute.

This change will take effect on Jun 29, 2026. We recommend that you deploy an update to your app before this date to avoid any interruption to your app’s functionality for anonymous users.

Add the anonymous value to the unlicensedAccess attribute for each jira:uiModificationsmodule that needs to execute for anonymous users in Jira.

For more information, see the guide on Access to Forge apps for unlicensed users.

From Monday Jun 29, 2026 onwards, UI Modifications modules will not be executed for anonymous users unless the module explicitly declares it.

You can now configure product event triggers and scheduled triggers to skip invocations for installations where your app is not actively licensed.

What's changing

By adding the appIsLicensed filter to your trigger modules in manifest.yml, the Forge platform will block trigger invocations for installations where the app's license is already inactive. This helps reduce unnecessary compute usage for unlicensed installations.

This change is specifically designed to address apps with existing inactive licenses (e.g., legacy entitlements that have lapsed). It is separate from the broader platform app suspension behaviour being explored in https://community.developer.atlassian.com/t/rfc-137-forge-app-suspension-behaviour/101092, which covers future suspension lifecycle handling.

This is an opt-in feature. Existing triggers are unaffected unless you explicitly add the filter to your manifest.

What you need to do

To enable this filtering, update your manifest.yml by adding the appIsLicensed: true filter to your trigger modules:

• Open your manifest.yml file

• Locate your trigger or scheduledTrigger modules

• Add the filter property with appIsLicensed: true

For more information, see the https://developer.atlassian.com/platform/forge/manifest-reference/modules/trigger/#filter-reference and https://developer.atlassian.com/platform/forge/manifest-reference/modules/scheduled-trigger/#filter-reference.

What’s changing
You can now enable guest access for the following Jira Forge modules:

• jira:customField

• jira:customFieldType

• jira:issuePanel

This update allows your apps to run for unlicensed users (guests) who have been invited to a single Jira space. By default, Forge apps only run for licensed Jira and Jira Service Management users.

What you need to do
To allow your app to serve unlicensed and guest users, add the unlicensedAccess property to the relevant modules in your manifest.yml file.

For detailed implementation steps, refer to the guide for unlicensed users.

As announced in Feb 5, 2026, we have removed the Bitbucket Cloud Connect addon linker APIs. These endpoints are no longer available.

The following REST API endpoints have been removed from Bitbucket Cloud:

• GET /2.0/addon/linkers

• GET /2.0/addon/linkers/{linker_key}

• GET /2.0/addon/linkers/{linker_key}/values

• PUT /2.0/addon/linkers/{linker_key}/values

• POST /2.0/addon/linkers/{linker_key}/values

• DEL /2.0/addon/linkers/{linker_key}/values

• GET /2.0/addon/linkers/{linker_key}/values/{value_id}

If you were using these endpoints, you must update your integrations to remove these calls as they will now return an error. For more information on the end of support for Connect on Bitbucket Cloud, please refer to the official announcement.

On 15 September 2026, the jiraServiceManagement:queuePage Forge extension point will stop loading on Customer Service Management (CSM) spaces in Jira.

What's changing

Apps using this module on CSM queues will stop rendering on that surface from the deprecation date. The module will continue to function as expected on standard Jira Service Management (JSM) spaces.

What you need to do

You should migrate to the dedicated replacement extension point, customerServiceManagement:queuePage, which is generally available from 15 June 2026.

• Replace jiraServiceManagement:queuePage with customerServiceManagement:queuePage in your app's manifest.yml.

• Review the manifest reference for the new module.

• Deploy your changes before the deadline.

Timeline

• 15 June 2026: customerServiceManagement:queuePage reaches GA.

• 15 June 2026 – 14 September 2026: Migration window.

• 15 September 2026: jiraServiceManagement:queuePage stops loading on CSM spaces.

If you cannot migrate in time, please contact Atlassian for case-by-case support.

The app migration platform will now automatically detect the correct migration listener to invoke if multiple are defined. This can be useful for defining different migration paths to different environments (i.e. commercial, isolated cloud and AGC) or if you would like to support migrations to one or more cloud apps.

To find out more, our documentation is available here

The new customerServiceManagement:queuePage Forge module is generally available from 15 June 2026.

What's changing

This module lets you add a custom item under the Queues section in the left navigation of a Customer Service Management (CSM) space. When clicked, your app renders a full page within the Jira interface.

What you need to do

• Review the customerServiceManagement:queuePage manifest reference for configuration details.

• If you currently use jiraServiceManagement:queuePage on CSM spaces, you must migrate to this new dedicated extension point.

Related deprecation

As a result of this new dedicated extension point, the existing jiraServiceManagement:queuePage Forge extension point will no longer load on CSM spaces from 15 September 2026. See CHANGE-3175 for migration details.

The new customerServiceManagement:requestDetail Forge module is generally available from 15 June 2026.

What's changing

This module lets you add a panel to the request details screen of a Customer Service Management (CSM) support site. Your app's content is displayed below the Conversation history section on the request details page.

What you need to do

Refer to the customerServiceManagement:requestDetail manifest reference for technical configuration and schema details.

The new design language updates for IconTile — previewed at Team '26 and previously rolling out behind feature flags — are now the default in @atlaskit/icon v35.0.0.

Alongside the feature flag cleanup, there are API changes you'll need to be aware of.

The size prop on IconTile no longer accepts pixel number strings. All sizes now use t-shirt size names. The following pixel values have been removed and must be migrated:

The default size has also changed from "small" (24px) to "medium" (32px). If you were relying on the default, explicitly pass size="small" to retain the previous behaviour.

A new "xsmall" size has been introduced, rendering at 20px. This is now the smallest available IconTile size.

The size="16" option for IconTile has been removed entirely as it was too small to be accessible. There is no 16px tile — the smallest tile is now "xsmall" at 20px.

If you previously used a 16px IconTile, migrate to rendering the 16px icon directly with a colour token:

The transitional types LegacyIconTileSize and NewIconTileSize have been removed. Use IconTileSize directly:

IconTileSize is now the single canonical type, defined as:

The shape prop on IconTile has been deprecated for over 6 months now and will be removed in a future version very soon. Circular icon tiles will not be supported.

If you are currently using shape="circle", you must plan your migration now:

• Assess the need for circular icon appearance: We’re asking you to migrate to square Icon tiles where possible, otherwise

• Use ADS primitives: Rebuild using ADS primitives (Box with borderRadius: radius.full for example).

The IconTile component is coming soon to Forge UI Kit.

• IconTile documentation on atlassian.design

Forge apps can now make API calls on behalf of JSM portal-only users. JSM portal-only users (also called customer account users) are customers who access your service desk through the JSM portal but don't have a full Atlassian account.

With this release, asUser() in Forge now works for customer accounts from both the frontend and the backend.

Apps can now perform actions like creating customer requests, reading comments, and updating tickets in the context of the portal-only user, with full permission checks preserved, exactly as they would be for a standard Atlassian account user.

The changes will be reflected upon redeployment of the Forge app.

What's changing

Forge custom fields (FCF) of type object can now render a rich custom edit experience in Jira's bulk edit.

Previously, object type FCF were rendered as an empty text input via (Atlaskit's TextField). With this change,

• It will be rendered as an empty JSON schema, making it easier to inline edit.

• You can now control how the field renders during bulk edit using your own custom resources via UI Kit or Custom UI, consistent with other surfaces such as issue view and global issue create.

This is available as a Preview feature, and currently only for the object field type.

What you need to do

• To opt in to the bulk edit experience, add issue-bulk-edit to the edit experiences of your custom field (or custom field type) in your manifest.yml:

  1 2 3 4 5 6 7 8 9 10 modules: jira:customField: - key: my-object-field name: My object field type: object edit: experience: - issue-create - issue-transition - issue-bulk-edit // <-- new surface

• Keep these constraints in mind for the bulk edit experience:

  • Issue and Project details are not available in the extension context during issue-bulk-edit.

  • In the formatter expression, only value and fieldId are available when renderContext/experience is issue-bulk-edit.

  • If your edit UI depends on issue or project context, detect this case using renderContext === 'issue-bulk-edit' and render an appropriate fallback UI.

For details, see: Jira Custom Fields > Issue Bulk Edit.

We've added a new set of public REST API endpoints that let you migrate Confluence spaces from the legacy granular space permission model to role-based access control (RBAC) using space roles.

Confluence spaces historically used 14 granular permissions (e.g. Add page, Delete attachment, Set permissions) assigned directly to users and groups. This checkbox-based model is difficult to audit, bulk-manage, and keep consistent across hundreds of spaces.

Confluence is replacing this with role-based access control (RBAC), where each principal (user, group, or app) is assigned a single space role (e.g. Admin, Collaborator, Viewer) that bundles the relevant permissions together.

These endpoints are the programmatic migration path: they let Confluence admins convert existing granular permission grants into equivalent role assignments — in bulk, without manual remapping — and are designed to be called from scripts or admin tooling.

All endpoints are under /wiki/api/v2/space-permissions/transition:

• GET /combinations — List a space's permission combinations that don't yet map to a role

• POST /combinations — Generate the permission combinations for a space

• POST /role-assignments — Bulk assign space roles to users/groups based on their existing permission combinations

• POST /access-removals — Bulk remove legacy permission combinations after transitioning to roles

• GET /tasks/{taskId} — Check the status of a transition task

• read:configuration:confluence — for the GET endpoints

• write:configuration:confluence — for the POST endpoints

Calling these endpoints requires Confluence site admin permission.

1. POST /combinations — compute the permission combinations currently in use across a space's grantees (returns a taskId)

2. Poll GET /tasks/{taskId} until COMPLETED

3. GET /combinations — list the combinations that aren't yet mapped to an RBAC role

4. POST /role-assignments — bulk assign roles so existing users and groups retain equivalent access under the new model

5. POST /access-removals — bulk remove the legacy permission grants that have been superseded by role assignments

6. Poll GET /tasks/{taskId} for the assignment / removal tasks until COMPLETED

These endpoints are experimental. We're validating the API contract against real-world migration workloads and plan to stabilize it once we've confirmed the shape holds across a range of tenant configurations.

Available now in all Confluence Cloud editions in roles transition mode. Please raise issues on the Atlassian Developer Community if you find anything.

We’ve added new navigation targets for the Forge bridge’s router object. These allow you to use the router API to navigate to supported UI module pages in Bitbucket.

What’s changing:

The following Bitbucket modules are now supported as navigation targets:

• bitbucket:workspaceGlobalPage

• bitbucket:workspacePersonalSettingsPage

• bitbucket:workspaceSettingsMenuPage

• bitbucket:projectSettingsMenuPage

• bitbucket:repoMainMenuPage

• bitbucket:repoSettingsMenuPage

What you need to do:

You can now update your Custom UI or UI Kit apps to use these targets with router methods. For implementation details and examples, see the router object documentation.