Changelog

Forge apps can now make API calls on behalf of JSM portal-only users. JSM portal-only users (also called customer account users) are customers who access your service desk through the JSM portal but don't have a full Atlassian account.

With this release, asUser() in Forge now works for customer accounts from both the frontend and the backend.

Apps can now perform actions like creating customer requests, reading comments, and updating tickets in the context of the portal-only user, with full permission checks preserved, exactly as they would be for a standard Atlassian account user.

The changes will be reflected upon redeployment of the Forge app.

Forge apps using the UI Modifications API configured for Issue View will now have their modifications applied when issues are opened via ViewIssueModal (for example, from global pages, admin pages, or custom UI panels).

Previously, UI Modifications were not loaded silently in this context. This applies to all supported project types, and requires no changes to your app's manifest or code

For more details, see the Jira UI modifications documentation.

As recently announced in Raising the bar on Marketplace cloud app security: together we are updating the Marketplace Security Bug Fix Policy to shorten vulnerability remediation timelines for Marketplace cloud apps. These changes ensure a higher security standard across our ecosystem.

What’s changing
The remediation Service Level Objectives (SLOs) for Marketplace cloud apps are being shortened. The timelines for Data Center apps remain unchanged.

Updated Cloud App SLOs (Enforceable September 1, 2026):

• Critical: 10 days

• High: 4 weeks

• Medium: 12 weeks

• Low: 25 weeks

Data Center App SLOs (Unchanged):

• Critical: 12 weeks

• High: 12 weeks

• Medium: 12 weeks

• Low: 25 weeks

Additionally, we have published the Marketplace Security Enforcement Policy, a consolidated source of truth for marketplace security compliance expectations, including vulnerability management, OAuth compliance, partner verification, bug bounty participation, and incident response.

What you need to do

• Review the new timelines: Ensure your internal processes are updated to meet the new cloud app SLOs by September 1, 2026.

• Check your tickets: We have corrected an issue where some AMS Data Center tickets incorrectly showed cloud remediation dates. If you believe a ticket still has an incorrect date, please raise an ECOHELP ticket.

• Watch the policy page: The Marketplace Security Enforcement Policy is a living document, we recommend "watching" the page for future updates.

We've introduced the Tile component for Forge UI Kit apps, now available in Preview. The Tile component is a rounded square container for displaying assets like emojis, or objects in a consistent, styled way.

The component supports various sizes (from 16px to 48px), customizable background colors using design tokens, optional borders, and adjustable internal padding for different asset types including third-party logos.

For implementation details and examples, see the Tile component documentation.

The jira:actionValidator module (Preview) now supports the workItemTypeChanged action across multiple flows, enabling custom validation whenever a user changes a work item's type. The validator is triggered in:

• Issue view - the user changes the work item type from the type field on the issue view.

• Move issue - when the work item type changes as part of moving an issue.

• Bulk move/migrate - the work item type changes as part of a bulk move or migration.

• Convert to subtask - when a standard work item is converted to a subtask type.

• Convert subtask to a work item - when a subtask is converted to a standard work item.

Also, a new context variable newIssueTypeData (type: IssueType) has been onboarded alongside the existing newIssueType (type: String, returns the issue type ID), allowing more refined conditions on the target work item type within your Jira expression.

Read more here - https://developer.atlassian.com/platform/forge/manifest-reference/modules/jira-action-validator/#workitemtypechanged

The Revoke portal-only access for user JSM API is now generally available (GA). We have removed the experimental flag, meaning the API will no longer be modified without prior notice.

What's changing

• GA Status: The API is no longer experimental.

• Error Handling: We've updated the status code from 400 to 404 when a passed accountId does not exist.

What you need to do

If you are currently using this API, update your error handling to account for the new 404 status code when a user is not found. You can find the full technical details in the Jira Service Management Cloud REST API documentation.

Forge custom fields can no longer be edited through the legacy bulk edit wizard (/secure/views/bulkedit/BulkEditDetails.jspa). On the legacy screen, they now appear under Unavailable actions with a redirect message.

Forge custom fields remain fully supported in the new bulk edit experience, available from the list view, backlog view, and JQL search page.

Following Forge modules - jira:customField, jira:customFieldType and jira:issuePanel can now run for unlicensed and anonymous users in Jira and Jira Service Management. This means your apps will work on publicly accessible pages and for users who don't have a full Jira and JSM license.

By default, Forge apps only run for licensed Jira and JSM users. To allow your app to serve unlicensed and anonymous users, add the unlicensedAccess property to your modules in manifest.yml.

Please refer to following guide for more details - https://developer.atlassian.com/platform/forge/access-to-forge-apps-for-unlicensed-users/#introduction.

We've introduced a new REST API endpoint that creates a customer account and also has option to send them
an invitation email to a service desk in Jira Service Management — all in a single call.
After receiving the invitation, the new customer can log in to the customer portal.

• Endpoint: POST /rest/servicedeskapi/servicedesk/{serviceDeskId}/customer/invite

• Required fields: email and displayName of the new customer, and the service desk ID

• Required permissions: Jira Administrator Global permission and Service Desk Administrator permission

For more information, see Invite customer API.

We have now added the ability to use the following as dynamic modules, available under Forge’s Early Early Access Program (EAP):

• Portal header

• Portal request view action

• Portal request detail

To start testing, sign up for the EAP here.

Forge apps can declare displayConditions in the app manifest for the following JSM portal modules and have them evaluated by the host, consistent with how display conditions work for Jira and Confluence Forge modules today:

• Portal footer

• Portal header

• Portal profile panel

• Portal request create property panel

• Portal request detail

• Portal request detail panel

• Portal request view action

• Portal subheader

• Portal user menu action

Since the preview release, we’ve also added support for the serviceDesk and customerRequest context variables in the Jira expressions that back display conditions for these modules.

For further details, including available conditions and context variables, see the documentation

The jira:globalBackgroundScript module is now more powerful and adds following major functionality to the module -

• Experience-based access control - Restrict which Jira views your script runs on using the experience property in the manifest. If no experience is specified, the script will not run anywhere.

• Modal support - Open modal dialogs from a background script on any allowed view using the https://developer.atlassian.com/platform/forge/apis-reference/ui-api-bridge/modal/.

• View context access - Access view-specific context such as issueKey, projectId, boardId, and project.type depending on the current Jira view.

Please read more here https://developer.atlassian.com/platform/forge/manifest-reference/modules/jira-global-background-script/.

We’ve introduced a platform-level URL persistence and redirect feature for apps migrating from Connect to Forge. Jira and Confluence will now accept legacy Connect URLs (including full path, query parameters, and fragments) and transparently redirect them to the corresponding Forge app module. For more information on how it works, please see the documentation here.

You can now nominate genuine migration blockers or major customer‑impact risks via the “Request review” flow on FRGE issues.

This flow will allow us to triage and assess requests to address remaining blockers to Forge migration before Connect end of support in December 2026. We’ll review requests over 3 monthly cycles, then freeze decisions.

Please review for existing tickets before creating new FRGE tickets. You may also review the announcement.

Following this deprecation announcement on Feb 17, 2026, the Connect Inspector Service is now decommissoned.

We recommend migrating to Atlassian Forge for a more robust Events model, as Atlassian Connect will reach end of support in December 2026.

Developers who still need similar functionality can use the open‑sourced version of the tool.