Last updated Dec 12, 2023

Security overview

Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.

Security is implemented differently, depending on what you are building:

  • Forge apps
  • OAuth 2.0 (3LO) apps
  • Scripts or other REST API clients

Forge apps

Forge apps use OAuth 2.0 when authenticating with Jira. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.

In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.

Learn more about Security for Forge apps

OAuth 2.0 (3LO) apps

OAuth 2.0 (3LO) apps use three-legged OAuth, also known as OAuth 2.0 authorization code grants. OAuth 2.0 (3LO) is a token-based method for authentication and authorization. This method allows your 3LO app to access Atlassian APIs on a user's behalf. Unlike two-legged OAuth, three-legged OAuth involves the end user in the authorization process by asking them to provide consent to access to their data.

Authenticated access for OAuth 2.0 (3LO) apps is provided by an access token that's used to make calls to the API. The 3LO app provides the authentication credentials that are used to get an access token for the desired API.

Authorization for OAuth 2.0 (3LO) apps is implemented via scopes. Scopes statically specify the maximum set of actions that an app may perform. Note, 3LO scopes are different to Connect scopes.

OAuth 2.0 (3LO) apps are created and managed in the developer console.

Learn more about OAuth 2.0 (3LO) apps

Scripts and other REST API clients

Scripts and other REST API clients use basic authentication. Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.

Authorization for basic authentication is based on the permissions of the user you used to generate the API token. For instance, if you're utilizing basic authentication, the user must possess the Team Admin permission to add a schedule to the team. This can be done by calling POST{cloudId}/v1/schedules/ (Create Schedule).

To learn more, read Basic auth for REST APIs.

Rate this page: