Rate this page:
Security helps protect customer data from unauthorized access and from malicious or accidental changes. It also allows administrators to install apps with confidence, letting users enjoy the benefits of apps without worry.
Security has two key parts:
Authentication and authorization methods differ depending on whether you are building an Atlassian Connect app or another type of integration.
These methods are summarized below.
Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use the client frameworks, most security operations are handled for you. Otherwise, you will need to construct and manage JWT tokens yourself. See Understanding JWT for Connect apps.
Atlassian Connect apps can use two types of authorization:
This method relies on two types of authorization:
You define scopes in the app descriptor to specify the maximum set of actions that an app may perform: read, write, etc. This security level is enforced by Atlassian Connect and cannot be bypassed by app implementations. To learn more, read our page on scopes.
Every app is assigned its own app user in a Cloud instance. In general, server-to-server
requests are made by the app user. Client-side requests are made as the current user in
the browser session, and are supported via the AP.request()
method.
To learn more, read Security for Connect apps.
If the app needs to act on behalf of the user, you can make server-to-server requests using OAuth 2.0 user impersonation (see next section).
User impersonation allows your integration to access Atlassian APIs on a user's behalf. This is provided via the JWT Bearer token authorization grant type for OAuth 2.0, which is also known as two-legged OAuth with impersonation (2LOi). At a high level, this method works by the app exchanging a JWT for an OAuth 2.0 access token (provided by the application). The access token can be used to make server-to-server calls, on behalf of the user, to the application's API.
To learn more, read User impersonation for Connect apps.
Connect is not the only solution for integrating with Atlassian products. For other types of integrations, such as scripts or bots, use basic authentication to access the Atlassian APIs.
Basic authentication uses an API token to authenticate the client. The token is generated from a user's Atlassian Account, encoded, then added to the header for requests to the API.
Authorization for basic authentication is based on the permissions of the user you used to generate
the API token. For example, if you are using basic authentication, your user must have the Admin
permission for a space in order to call PUT /wiki/rest/api/space/{spaceKey}
(Update space).
To learn more, read Basic auth for REST APIs.
Rate this page: