Last updated May 24, 2024

Confluence Cloud Changelog

This page includes release notes and updates for Confluence Cloud app developers. Use this page to keep track of upcoming changes, deprecation notices, new features, and feature updates from Confluence Cloud.

Forge changelog

For updates about changes to the Forge platform, see the Forge changelog in the Forge documentation.

You can also ask questions and learn from other Confluence Cloud developers on the Atlassian Developer Community.

24 May 2024

Deprecation Notice Type of the `id` field for some entities in Confluence webhooks changed from `number` to `string`

As we announced in this community post, we’ve now changed the type of the id field for page, blogpost, attachment, and comment entities in Confluence Webhooks to be string instead of number. If your app switched to idAsString field after the previous announcement, please switch it back to using id field.

This change doesn’t affect id field of space entities.

idAsString field is now deprecated and will be removed from Confluence Webhooks in 6 months.

More details

Full list of affected webhooks:

  • attachment_archived

  • attachment_created

  • attachment_removed

  • attachment_restored

  • attachment_trashed

  • attachment_unarchived

  • attachment_updated

  • attachment_viewed

  • blog_created

  • blog_removed

  • blog_restored

  • blog_trashed

  • blog_updated

  • blog_viewed

  • comment_created

  • comment_removed

  • comment_updated

  • content_permissions_updated

  • label_added

  • label_created

  • label_deleted

  • label_removed

  • page_archived

  • page_children_reordered

  • page_created

  • page_copied

  • page_moved

  • page_removed

  • page_restored

  • page_trashed

  • page_unarchived

  • page_updated

  • page_viewed

  • space_created

  • space_logo_updated

  • space_permissions_updated

  • space_removed

  • space_updated

22 May 2024

Announcement Multi-Bodied Macro Extensibility GA

We are pleased to announce the GA of our Multi-Bodied Macro feature for Confluence Cloud, following the valuable feedback received during our EAP. This feature allows app developers to create dynamic content macros with multiple bodies. App developers can manipulate macro bodies – adding, deleting, or setting an active body for users to view. This functionality is designed to enhance content flexibility and interactivity on Confluence pages. For implementation details, please refer to the macro module documentation and tutorial.

A special thank you to all participants who engaged with us through the EAP and provided insightful feedback and suggestions on our RFC.

We encourage everyone to explore the new capabilities of the Multi-Bodied Macro, now fully available for use.

16 May 2024

Deprecation Notice Loading styles from Connect CDN instead of inline

We're deprecating injecting stylesheets for Connect apps via inline styles in favor of loading from the Connect CDN. This affects the Theming API and dynamic content macros that supported the legacy Confluence editor.

At the end of the deprecation period (18th November 2024), we’ll stop injecting any inline styles and only load from the CDN.

If your app doesn’t use the above Connect features, or doesn’t use a Content Security Policy (CSP) for style-src, no action is required. Otherwise, please read the details here or see https://developer.atlassian.com/platform/marketplace/security-requirements/#connect-apps on how to modify your CSP to support these changes.

More details

Action required

To support these changes in your app, if you're using a Content Security Policy that sets the style-src policy, you must add the Connect CDN (https://connect-cdn.atl-paas.net) to your policy to allow these stylesheets to be injected. It's safe to remove unsafe-inline from your policy if you've been using it up until now.

Additional context

The stylesheets mentioned here are included automatically via the Connect JS script, not manually by the app vendor. There are two circumstances under which Connect injects stylesheets into your app.

The first is only for apps which opted in to the Theming API. The theme stylesheets currently load via an inline stylesheet, which forces vendors to adopt the insecure unsafe-inline policy, and is the main motivation for this change.

The second location is only for dynamic content macros. We inject a stylesheet with CSS classes representing colors from the legacy Confluence editor. This happens without opt-in, to be backwards-compatible with macros created in the legacy editor. This injection is currently done via CSSOM, not inline styles, and therefore isn’t impacted by style-src CSP rules currently. However it’ll also start being served from the CDN.

During the deprecation period, styles will be loaded simultaneously via the current methods described above and from the CDN. After the deprecation period, styles will only be loaded from the CDN, and the inline/CSSOM methods will be removed.

13 May 2024

Deprecation Notice Bulk remove content states endpoint and Get update on long running tasks for content states endpoint in v1 Confluence Cloud REST API

We are deprecating the Bulk remove content states from content and the Get update on long running task for setting of content state v1 REST APIs in Confluence Cloud.

On Nov 13, 2024, the POST /wiki/rest/api/content-states/delete endpoint and the GET /wiki/rest/api/content-states/task/{taskId} will be removed.

More details

11 May 2024

Request for Comments (RFC) RFC: Let users easily interact with AND configure macros in the Editor

6 May 2024

Removed Removing the bulk set content state endpoint from the Confluence Cloud v1 REST API

Following this deprecation announcement from November 6, 2023, we're removing the PUT /wiki/rest/api/content-states endpoint from the Confluence Cloud v1 REST API. It’ll no longer be available from the time of this announcement and we won’t be providing a replacement functionality.

Fixed Removing internal groups from Confluence Cloud Rest API

The groups atlassian-addons and atlassian-addons-admin will no longer be returned by the Get Groups API since they are strictly for internal use.

3 May 2024

Announcement Update to Confluence v1 API Deprecation Timeline

We are extending the deprecation period for all endpoints noted in CHANGE-864 and CHANGE-1116 to Dec 2, 2024.

1 May 2024

Announcement Atlassian Security Scanner from a bird’s eye view

Atlassian Security Scanner is already checking your Marketplace apps for any critical- or high-severity vulnerabilities in third-party dependency trees and .jar files. The tool is helping us ensure that all apps on the Marketplace are safe for our customers to download and install on their instances.

While .jar files are scanned every day due to the nature of modern cyber threats, third-party dependencies are checked when you submit your app for approval for the first time and during the regular annual review.

If Security Scanner doesn’t detect any vulnerability in your app, it’s safe to be on the Marketplace.

In case a security issue has been found, a Jira ticket about it will be created in the Atlassian Marketplace Security (AMS) project, and you’ll receive an automated email notification about the ticket. As soon as you fix the issue, upload the new version of your app to the Marketplace. Your ticket will be closed automatically the next day after Security Scanner checks the app again and finds no vulnerabilities.

If you need help or have questions, don’t hesitate to chat with an entitled representative of the Data Center Review team in the ticket’s comments. Or you can always contact Atlassian Support directly.

More details

We’d like to highlight that the security scanning on our side is a complementary process to catch the most obvious security issues in case there are no security processes established on the app partner’s side. Thus, our solution doesn’t aim to substitute security checks on your side with a tool you trust. We rather provide assistance with a security audit in case these checks aren’t done.

Added Confluence data classification APIs

We’re introducing new endpoints to the Confluence Cloud REST API v2 for applying and modifying classification levels in spaces, pages and blog posts. How does data classification work?

26 April 2024

Added New Optional Include Field Parameters for Get Space by Id in Confluence Cloud v2 REST API

We’ve added a set of new query parameters to the v2 Get space by id API endpoint that allows for optional fetching of metadata properties related to the given space. These include:

  • include-labels

  • include-operations

  • include-properties

  • include-permissions

By default, these metadata properties will not be included in the response unless specified.

Request for Comments (RFC) RFC: Evolving the Developer Canary Program & associated Developer Assistant Apps

EDIT, 15-May-2024: This RFC is now closed.

A new RFC is ready for review at https://community.developer.atlassian.com/t/rfc-47-evolving-the-developer-canary-program-associated-developer-assistant-apps/79453.

24 April 2024

Request for Comments (RFC) RFC: Upcoming changes to Jira navigation

15 April 2024

Fixed Fixed incorrect scope check for OAuth 2.0 requests with a trailing forward slash

We have now fixed the incorrect scope check requests with a trailing forward slash.

Assume there is a scenario where a request is made to an endpoint https://api.atlassian.com/some/path/. Scope checking may find a valid scope for path /some/path/** and pass the scope check. Once the request reaches the backend service, if the service does not have a path with a trailing slash, it may remove it and invoke the parent endpoint https://api.atlassian.com/some/path which may not have the same scope requirements.

With this fix, scope checking will ignore the trailing slash when matching scopes to the path.

This means that a request to https://api.atlassian.com/some/path/ and https://api.atlassian.com/some/path will be treated the same with respect to scope checking.

11 April 2024

Added App access rule under data security policies: Data security policy events upper limit

The progressive rollout of data security policy events has been completed. Data security policy events are generated when installed apps' access to certain data within Confluence, Jira, Jira Service Management, or Jira Software has been blocked by an administrative policy with an App access rule. You can now subscribe to these events.

Being a new capability however, we are scaling up our processing of these data security policy events over the next few months. In the meantime we have set a upper limit of 50,000 objects. This means that if a customer activates or updates a data security policy that affects more than 50,000 objects, you will receive the first 50k objects in the events and the rest would be omitted.

We intend to raise these limits and will advise once we have reached our final threshold— and have determined our final hard limits.

More details

Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.

The new app access rule under data security policies allows customers to restrict app access to the content in Confluence spaces or Jira projects under a given policy. In this way, customers can benefit from apps while still limiting 3rd-party app access to certain content in select spaces.

If you are looking to update your apps with custom in-app messaging whenever your app is affected by an app access rule, we encourage you to use the Developer guide.

Rate this page: