Last updated Jul 18, 2024

Security overview

Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.

Security is implemented differently, depending on what you are building:

  • Forge apps
  • Connect apps
  • OAuth 2.0 (3LO) apps
  • Scripts or other REST API clients

Forge apps

Forge apps use OAuth 2.0 when authenticating with Jira. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.

In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.

Learn more about Security for Forge apps

Connect apps

Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use the client frameworks, most security operations are handled for you.

Atlassian Connect apps can use two types of authorization:

  • Authorization via scopes and app users: Scopes are permissions that are defined in the app descriptor. The app has its own app user with permissions controlled by the admin. The set of allowed actions is the intersection of the scopes and the permissions of the app user.
  • Authorization with user impersonation: User impersonation allows your integration to access Atlassian APIs on a user's behalf.

Learn more about Security for Connect apps

OAuth 2.0 (3LO) apps

OAuth 2.0 (3LO) apps use three-legged OAuth, also known as OAuth 2.0 authorization code grants. OAuth 2.0 (3LO) is a token-based method for authentication and authorization. This method allows your 3LO app to access Atlassian APIs on a user's behalf. Unlike two-legged OAuth, three-legged OAuth involves the end user in the authorization process by asking them to provide consent to access to their data.

Authenticated access for OAuth 2.0 (3LO) apps is provided by an access token that's used to make calls to the API. The 3LO app provides the authentication credentials that are used to get an access token for the desired API.

Authorization for OAuth 2.0 (3LO) apps is implemented via scopes. Scopes statically specify the maximum set of actions that an app may perform. Note, 3LO scopes are different to Connect scopes.

OAuth 2.0 (3LO) apps are created and managed in the developer console.

Learn more about OAuth 2.0 (3LO) apps

Scripts and other REST API clients

Scripts and other REST API clients use basic authentication. Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.

Authorization for basic authentication is based on the permissions of the user you used to generate the API token. For example, if you're using basic authentication, your user must have the Administer projects permission for a project to call PUT /rest/api/3/project/{projectIdOrKey} (Update project).

We recommend that you only use basic authentication if you have other security measures in place.

Learn more about Basic auth for REST APIs

Rate this page: