Last updated Apr 4, 2023

Security overview

Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.

Security is implemented differently, depending on what you are building:

  • Forge apps (and Connect on Forge)
  • OAuth 2.0 (3LO)
  • Scripts or other REST API clients

Forge apps

Forge apps use OAuth 2.0 when authenticating for Forms API. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.

In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.

The OAuth scopes that are needed are:

  • read:jira-work
  • write:jira-work
  • manage:jira-project
  • read:servicedesk-request
  • write:servicedesk-request

Learn more about security for Forge apps.

Connect apps

Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use the client frameworks, most security operations are handled for you.

Atlassian Connect apps can use two types of authorization:

  • Authorization via scopes and app users: Scopes are permissions that are defined in the app descriptor. The app has its own app user with permissions controlled by the admin. The set of allowed actions is the intersection of the scopes and the permissions of the app user.
  • Authorization with user impersonation: User impersonation allows your integration to access Atlassian APIs on a user's behalf.

Learn more about security for Connect apps.

OAuth 2.0 (3LO)

OAuth 2.0 (3LO) use three-legged OAuth, also known as OAuth 2.0 authorization code grants. OAuth 2.0 (3LO) is a token-based method for authentication and authorization. This method allows your OAuth 2.0 (3LO) app to access Atlassian APIs on a user's behalf. Unlike two-legged OAuth, three-legged OAuth involves the end user in the authorization process by asking them to provide consent to access to their data.

Authenticated access for OAuth 2.0 (3LO) is provided by an access token that's used to make calls to the API. The 3LO app provides the authentication credentials that are used to get an access token for the desired API.

Authorization for OAuth 2.0 (3LO) is implemented via scopes. Scopes statically specify the maximum set of actions that an app may perform. Note, 3LO scopes are different to Connect scopes.

OAuth 2.0 (3LO) are created and managed in the developer console.

Learn more about OAuth 2.0 authorization code grants (3LO).

Scripts and other REST API clients

Scripts and other REST API clients use basic authentication. Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.

Authorization for basic authentication is based on the permissions of the user you used to generate the API token. For example, if you're using basic authentication, your user must have the Admin permission for a project and issue in order to call GET /jira/forms/cloud/{cloudId}/issue/{issueIdOrKey}/forms (Get form index).

We recommend that you only use basic authentication if you have other security measures in place.

Learn more about basic auth for REST APIs.

Rate this page: