We've added a new set of public REST API endpoints that let you migrate Confluence spaces from the legacy granular space permission model to role-based access control (RBAC) using space roles.

Confluence spaces historically used 14 granular permissions (e.g. Add page, Delete attachment, Set permissions) assigned directly to users and groups. This checkbox-based model is difficult to audit, bulk-manage, and keep consistent across hundreds of spaces.

Confluence is replacing this with role-based access control (RBAC), where each principal (user, group, or app) is assigned a single space role (e.g. Admin, Collaborator, Viewer) that bundles the relevant permissions together.

These endpoints are the programmatic migration path: they let Confluence admins convert existing granular permission grants into equivalent role assignments — in bulk, without manual remapping — and are designed to be called from scripts or admin tooling.

All endpoints are under /wiki/api/v2/space-permissions/transition:

• GET /combinations — List a space's permission combinations that don't yet map to a role

• POST /combinations — Generate the permission combinations for a space

• POST /role-assignments — Bulk assign space roles to users/groups based on their existing permission combinations

• POST /access-removals — Bulk remove legacy permission combinations after transitioning to roles

• GET /tasks/{taskId} — Check the status of a transition task

• read:configuration:confluence — for the GET endpoints

• write:configuration:confluence — for the POST endpoints

Calling these endpoints requires Confluence site admin permission.

1. POST /combinations — compute the permission combinations currently in use across a space's grantees (returns a taskId)

2. Poll GET /tasks/{taskId} until COMPLETED

3. GET /combinations — list the combinations that aren't yet mapped to an RBAC role

4. POST /role-assignments — bulk assign roles so existing users and groups retain equivalent access under the new model

5. POST /access-removals — bulk remove the legacy permission grants that have been superseded by role assignments

6. Poll GET /tasks/{taskId} for the assignment / removal tasks until COMPLETED

These endpoints are experimental. We're validating the API contract against real-world migration workloads and plan to stabilize it once we've confirmed the shape holds across a range of tenant configurations.

Available now in all Confluence Cloud editions in roles transition mode. Please raise issues on the Atlassian Developer Community if you find anything.

A new Rovo-powered AI chat widget is now available for all logged-in users on https://developer.atlassian.com. Located in the bottom right corner of developer documentation pages, this assistant can answer questions, surface relevant docs, and help you build on the platform faster.

Key features include:

• Contextual answers: The chat understands the context of your question and provides relevant answers rather than generic search results.

• Developer-focused knowledge: Trained on Atlassian developer documentation, the assistant understands Forge, REST APIs, Marketplace, and platform concepts.

• Natural language understanding: Ask questions in plain language; no need to know exact documentation titles or keywords.

• Follow-up questions: Continue a conversation naturally with follow-up questions to drill deeper into a topic.

• Source transparency: The widget displays the specific documentation and support sources used to generate each answer.

• Conversation history: You can access and review your previous interactions for up to 28 days.

• Independent operation: The assistant works independently of your product licenses and organization-level AI settings.

For more details on how the assistant handles data and what sources it uses, see the Atlassian developer AI chat documentation.

What’s changing:
The Confluence Cloud REST API v2 endpoints for listing page and blogpost versions now enforce a maximum limit of 50 results when the body-format query parameter is included. Requests without a body-format parameter are unaffected.

Affected endpoints:

• GET /wiki/api/v2/pages/{id}/versions

• GET /wiki/api/v2/blogposts/{id}/versions

Previously, requests with body-format could return up to 250 results. If the requested limit exceeded the maximum, the API returned a 400 Bad Request error.

With this change, if the requested limit exceeds 50 when body-format is specified, the response will be capped at 50 results and return 200 OK.

What you need to do:

If your integration relies on receiving more than 50 versions in a single request with a specific body format, you must update your logic to handle pagination. Use the cursor provided in the _links.next field of the response to fetch subsequent pages of results.

As recently announced in Raising the bar on Marketplace cloud app security: together we are updating the Marketplace Security Bug Fix Policy to shorten vulnerability remediation timelines for Marketplace cloud apps. These changes ensure a higher security standard across our ecosystem.

What’s changing
The remediation Service Level Objectives (SLOs) for Marketplace cloud apps are being shortened. The timelines for Data Center apps remain unchanged.

Updated Cloud App SLOs (Enforceable September 1, 2026):

• Critical: 10 days

• High: 4 weeks

• Medium: 12 weeks

• Low: 25 weeks

Data Center App SLOs (Unchanged):

• Critical: 12 weeks

• High: 12 weeks

• Medium: 12 weeks

• Low: 25 weeks

Additionally, we have published the Marketplace Security Enforcement Policy, a consolidated source of truth for marketplace security compliance expectations, including vulnerability management, OAuth compliance, partner verification, bug bounty participation, and incident response.

What you need to do

• Review the new timelines: Ensure your internal processes are updated to meet the new cloud app SLOs by September 1, 2026.

• Check your tickets: We have corrected an issue where some AMS Data Center tickets incorrectly showed cloud remediation dates. If you believe a ticket still has an incorrect date, please raise an ECOHELP ticket.

• Watch the policy page: The Marketplace Security Enforcement Policy is a living document, we recommend "watching" the page for future updates.

We've introduced the Tile component for Forge UI Kit apps, now available in Preview. The Tile component is a rounded square container for displaying assets like emojis, or objects in a consistent, styled way.

The component supports various sizes (from 16px to 48px), customizable background colors using design tokens, optional borders, and adjustable internal padding for different asset types including third-party logos.

For implementation details and examples, see the Tile component documentation.

A new RFC is ready for review at RFC-136

A new optional boolean parameter, generateAppEvents has been introduced to the following Jira Cloud REST API endpoints

• POST /rest/api/2/app/field/value - Update custom fields

• PUT /rest/api/2/app/field/{fieldIdOrKey}/value - Update custom field value

What it does: When set to false, this parameter suppresses the generation of app events triggered by the update. Specifically, it prevents issue updated events from being dispatched to:

• Forge app event listeners

• Connect app event listeners

• OAuth 2.0 app webhooks

• Admin-configured webhooks (registered via the Jira admin UI)

Default behavior: When omitted or set to true, all app events are generated as usual.

The boolean usages of the autoFocus prop have now been removed from @atlaskit/modal-dialog. The previously default value of true, which automatically moves focus to the first interactive element within the modal, is now the default with no option to set it to false. This is to improve accessibility and follow the WCAG guidelines for focus within a modal dialog.

Boolean usages of autoFocus can be removed by running the included codemod.

Atlassian will discontinue support for the Atlassian Connect Express (@atlassian/atlassian-connect-express) and Atlassian Connect Spring Boot (atlassian-connect-spring-boot) frameworks alongside the end of support for the Atlassian Connect platform.

As of April 30, 2026, Atlassian has ceased development of new features for these frameworks. While we will continue to patch vulnerabilities and assess bug fixes on a case-by-case basis for the time being, this support will end completely when the Connect platform enters its final EOS phase in Q4 2026. When that happens, Atlassian will no longer:

• Investigate or remediate breaking changes caused by product or platform updates.

• Provide official maintenance or security patches for these frameworks

Both frameworks will remain available as open-source projects under the Apache 2.0 license, and their source code will continue to be accessible at:

• Atlassian Connect Express: https://bitbucket.org/atlassian/atlassian-connect-express

• Atlassian Connect Spring Boot: https://bitbucket.org/atlassian/atlassian-connect-spring-boot

Developers who wish to continue using these frameworks can fork and maintain them independently. However, any future maintenance (including addressing breaking changes or security issues that arise after Connect enters EOS) will be the responsibility of the community or individual developers.

For details on the Atlassian Connect EOS timeline and phases, see:
https://www.atlassian.com/blog/developer/announcing-connect-end-of-support-timeline-and-next-steps

We’re announcing the deprecation and upcoming decommission of the AUI CDN.
AUI CDN will be shut down after Oct 30, 2026.

What is AUI CDN?
aui-cdn.atlassian.com hosts legacy JavaScript and CSS assets for AUI (Atlassian User Interface) versions 5.2.0 – 6.0.9.

Who is affected?
The AUI CDN is primarily used by Connect apps, so this mostly affects apps not yet migrated from Connect to Forge. Connect has announced its own End of Support late 2026. In some rare cases, AUI CDN is also used by Forge apps.

How to check if you're affected
Search your app's source code for any URLs containing aui-cdn.atlassian.com. If you find any references, your app is loading assets from AUI CDN and you need to take action before the shutdown.

What to do if you're affected
Remove all references to aui-cdn.atlassian.com from your codebase and migrate to a supported alternative:

• Recommended: Migrate AUI to Atlassian Design System or Forge UI Kit. Any Atlassian Connect apps should also migrate to Forge, as Connect End of Support has been announced.

• If migrating is not suitable for you (e.g. non-React apps), you have these options:

  • Bundle AUI directly: via npm. See the AUI documentation.

  • Third-party CDN: use a CDN that serves npm packages, e.g. jsDelivr (https://cdn.jsdelivr.net/npm/aui@latest/) or unpkg (https://unpkg.com/aui@latest/)

  • Self-host: download any required AUI assets and serve the static assets yourself

Timeline
AUI CDN will be shut down after Oct 30, 2026. After this date, any requests to aui-cdn.atlassian.com will fail, which will break apps that haven't migrated. Please migrate as soon as possible.

We've added a new Confluence Forge event for performed search: avi:confluence:performed:search

You can use this event to invoke your Forge app function when a Confluence search is performed. For more details, see the Confluence events reference documentation.

The legacy icon entry points in @atlaskit/icon have been permanently removed following the deprecation notice published in 2024. The removed entry points are: @atlaskit/icon/glyph/, @atlaskit/icon/core/migration/, @atlaskit/icon/utility/, @atlaskit/icon/base, @atlaskit/icon/svg, and @atlaskit/icon/migration-map.

The no-legacy-icons ESLint rule has also been removed from @atlaskit/eslint-plugin-design-system as it is no longer needed.

Apps using Forge Custom UI or Atlassian Connect that import from any of the above entry points must update their imports to use @atlaskit/icon/core/ instead. Migration guidance, codemods, and the full list of icon replacements were published in the original deprecation notice: https://developer.atlassian.com/changelog/#CHANGE-2773

The spacing prop on icon components in @atlaskit/icon and @atlaskit/icon-lab is now deprecated. The prop was introduced to ease migration from the legacy icon system by allowing icons to carry their own padding. Now that the legacy icon migration is complete, whitespace around icons should be controlled by the surrounding layout rather than the icon itself — consistent with how the rest of the Atlassian Design System handles spacing.
The spacing prop will be removed in a future major release. While no immediate action is required and existing usages will continue to work for now, we recommend migrating away from spacing ahead of its removal. To migrate, replace spacing="spacious" or spacing="compact" with a Flex wrapper from @atlaskit/primitives/compiled using explicit padding tokens. A codemod and ESLint rule with IDE quick-fix are available to automate the migration. Full guidance: https://atlassian.design/components/icon/usage

Following our deprecation notice on Sep 29, 2025:

• Customers can no longer install Connect private apps.

• Partners and developers can no longer update existing Jira or Confluence apps using a Connect descriptor on the Atlassian Marketplace.

From now on, private apps can only be installed via Forge installation links. See https://developer.atlassian.com/platform/forge/distribute-your-apps/ for instructions on sharing these links to your customers.

This milestone is in line with our timeline for ending support for the Connect platform.

Forge apps with app.connect.key declared in their manifest can now retrieve the Connect clientKey for an installation via a reserved, read-only app property. See Retrieving the Connect clientKey in Forge for instructions.