Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.
Security is implemented differently, depending on what you are building:
Check out our step-by-step guide to building a trustworthy Atlassian app and Marketplace business.
Forge apps use OAuth 2.0 when authenticating with Jira. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.
In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.
Learn more about Security for Forge apps
Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use the client frameworks, most security operations are handled for you.
Atlassian Connect apps can use two types of authorization:
Learn more about Security for Connect apps
OAuth 2.0 (3LO) apps use three-legged OAuth, also known as OAuth 2.0 authorization code grants. OAuth 2.0 (3LO) is a token-based method for authentication and authorization. This method allows your 3LO app to access Atlassian APIs on a user's behalf. Unlike two-legged OAuth, three-legged OAuth involves the end user in the authorization process by asking them to provide consent to access to their data.
Authenticated access for OAuth 2.0 (3LO) apps is provided by an access token that's used to make calls to the API. The 3LO app provides the authentication credentials that are used to get an access token for the desired API.
Authorization for OAuth 2.0 (3LO) apps is implemented via scopes. Scopes statically specify the maximum set of actions that an app may perform. Note, 3LO scopes are different to Connect scopes.
OAuth 2.0 (3LO) apps are created and managed in the developer console.
Learn more about OAuth 2.0 (3LO) apps
Scripts and other REST API clients use basic authentication. Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.
Authorization for basic authentication is based on the permissions of the user you used to generate
the API token. For example, if you're using basic authentication, your user must have the
Administer projects permission for a project to call PUT /rest/api/3/project/{projectIdOrKey}
(Update project).
We recommend that you only use basic authentication if you have other security measures in place.
Rate this page: