Last updated Jun 7, 2024


Security plays a crucial role in safeguarding customer data stored in Assets from unauthorized access and preventing malicious or accidental alterations. Additionally, it empowers developers to create applications and integrations with assurance, thereby unlocking the complete potential of Assets data.

Security model

Assets deploys a layered security model to enable developers access and change Assets data in a secured and flexible manner. The security model consists of the following three layers:

  1. API authentication - Verify the identity of the requester accessing Asset’s public API.
  2. API authorization - Make sure the requester has the necessary permission to access the specific API.
  3. Role-based authorization - Make sure the requester has the necessary Assets roles to access the target data. See roles in Assets to learn more.

Building on top of this security model, Assets provides different authentication and authorization mechanisms designed to meet specific requirements and features of various integration pathways.

Build integrations with Assets

We provide three different ways for developers to build seamless yet secure integrations with Assets:

Three ways to build secure integrations with assets

Forge apps

Forge apps use OAuth 2.0 when authenticating with Assets. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.

In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.

See Security for Forge apps for more details.

Connect apps

Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use client frameworks, most security operations are handled for you. Using JWT, Connect apps can access Assets APIs:

  • As app user: To access Assets APIs as an app to perform system actions, like scheduled jobs.
  • As user via impersonation: To access Assets APIs on a user’s behalf.

Authorisation via Connect scope

Please note that authorisation via Connect scope is not fully supported by Assets.

If you are a Connect app developer, to ensure your app can call Assets APIs you will need to do the following:

For example, if the app wants to use the API to create a new schema, you will need to:

Learn more about security for Connect Apps.

In rare circumstances where Connect apps cannot utilize JWT for authentication, there is an option for Connect apps to utilize token-based authentication and authorization to access Assets APIs (See below section for more details). However we do not recommend this, as this is against the latest security requirements for cloud apps.

Scripts or other REST API clients

Scripts and other REST API clients use token-based authentication and authorization to access Assets APIs. They should encode and add the token to the header for requests to the APIs. Assets supports two kinds of tokens:

  1. API token: Generated from a user's Atlassian Account.
  2. Container token: Generated by Assets to grant permission to access Assets APIs.

See API token-based authentication for more details.

We recommend that you only use token-based authentication and authorization if you have other security measures in place.

Rate this page: