Last updated Jan 11, 2021

Authentication and authorization

This overview explains how to authenticate and authorize your apps to work with Atlassian products. There are two main factors that determine how an app can work securely with an Atlassian product:

Authentication tells the host product the identity of your app or integration.
Authorization determines what your app or integration is allowed to do in the host product.

The best way to authenticate depends on the type of app you are building and the stage of development you're at. Read on to learn more about the authentication and authorization methods that are right for your project.

Jira and Confluence Cloud

Forge, Atlassian's latest app development platform, handles authentication for your app using managed APIs and OAuth 2.0 protocols. To find out if Forge is right for your project, see the comparison of cloud development options and the Forge security overview.

If you are building a Jira or Confluence app outside of Forge, the table below compares the authentication and authorization methods available for other types of development projects:

Development goal	Authentication method (identity)	Authorization (access)
Private use of REST APIs, such as testing or personal scripting.	Basic authentication	The app’s access level is the same as the user who generated the token. Administrators can’t revoke this access without disabling the user who generated the token.
Integrations that require: Use of product REST APIs User-granted authorization (OAuth 2.0) Private use or limited Marketplace distribution	OAuth 2.0 (3L0) Developers must register OAuth 2.0 (3L0) apps in the developer console. OAuth 2.0 (3L0) does not work with Atlassian Connect apps.	App access level is set with OAuth scopes, and users grant access during the install flow. See the API reference documentation to determine the scopes required for each operation.
Apps that require some or all of these features, provided by the Atlassian Connect frameworks: In-product UI modules Product REST APIs or JS APIs User impersonation Marketplace listing for commercial distribution	JWT token (Bearer) with Atlassian Connect Setup is handled for you by the Connect frameworks.	Connect app access levels are set with Connect scopes for Jira and Confluence. You can optionally add impersonation on top of this. See Jira user impersonation or Confluence user impersonation.

To learn how to implement these authentication and authorization methods, see these pages:

Jira Cloud platform security overview
Jira Service Desk Cloud security overview
Jira Software Cloud security overview: Note, OAuth 2.0 (3LO) is currently not available for Jira Software.
Confluence Cloud security overview

Other cloud products

Authentication and authorization work a little differently for Bitbucket Cloud and other Atlassian products. Review the security information for the product you’d like to develop with for details:

See our full list of cloud products for more developer information.

Server and Data Center

Apps authenticating with a server or Data Center product use some of the same methods as cloud, but with a few key differences.

API	Authentication method
Java APIs	Java APIs typically need no special authentication beyond requesting the necessary permissions upon install.
REST APIs	REST APIs can use OAuth 1.0a, which requires site admins to generate a private/public key pair and configure an incoming application link for your app. For personal use or scripting, you can also use basic authentication with a username and password.

Take a look at the security docs for each server product for more details:

Jira Server security overview covers topics like OAuth, basic authentication, and more.
Confluence Server security
- HTTP authentication with Seraph, Confluence Server’s default security system.
- Make REST API endpoints available for JWT authentication.
- How to secure your macro.
Bitbucket Server API information. See the section on Personal access tokens.

See our full list of server products for more developer information.