Last updated Mar 18, 2024

Security overview

Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.

Security is implemented differently, depending on what you are building:

  • Forge apps
  • Connect apps
  • OAuth 2.0 (3LO)
  • Scripts or other REST API clients

Forge apps

Forge apps use OAuth 2.0 when authenticating with Confluence. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.

In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.

To learn more, read Security for Forge apps.

Connect apps

Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use the client frameworks, most security operations are handled for you.

Atlassian Connect apps can use two types of authorization:

  • Authorization via scopes and app users: Scopes are permissions that are defined in the app descriptor. The app has its own app user with permissions controlled by the admin. The set of allowed actions is the intersection of the scopes and the permissions of the app user.
  • Authorization with user impersonation: User impersonation allows your integration to access Atlassian APIs on a user's behalf.

To learn more, read Security for Connect apps.

OAuth 2.0 (3LO)

OAuth 2.0 (3LO) use three-legged OAuth, also known as OAuth 2.0 authorization code grants. OAuth 2.0 (3LO) is a token-based method for authentication and authorization. This method allows your OAuth 2.0 (3LO) app to access Atlassian APIs on a user's behalf. Unlike two-legged OAuth, three-legged OAuth involves the end user in the authorization process by asking them to provide consent to access to their data.

Authenticated access for OAuth 2.0 (3LO) is provided by an access token that's used to make calls to the API. The 3LO app provides the authentication credentials that are used to get an access token for the desired API.

Authorization for OAuth 2.0 (3LO) is implemented via scopes. Scopes statically specify the maximum set of actions that an app may perform. Note, 3LO scopes are different to Connect scopes.

OAuth 2.0 (3LO) are created and managed in the developer console.

To learn more, read OAuth 2.0 authorization code grants (3LO).

Scripts and other REST API clients

Scripts and other REST API clients use basic authentication. Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.

Authorization for basic authentication is based on the permissions of the user you used to generate the API token. For example, if you're using basic authentication, your user must have the Admin permission for a space in order to call PUT /wiki/rest/api/space/{spaceKey} (Update space).

We recommend that you only use basic authentication if you have other security measures in place.

To learn more, read Basic auth for REST APIs.

Rate this page: