Last updatedApr 21, 2020

Rate this page:

Authentication and authorization for developers

This overview explains how developers authenticate apps and integrations with Atlassian and how to authorize apps to do things in our products.

There are two main factors that determine how an app can work securely with an Atlassian product:

  • Authentication tells the host product the identity of your app or integration.
  • Authorization determines what your app or integration is allowed to do in the host product.

The best way to authenticate depends on the type of integration you are building and the stage of development you are at. Additionally, some authentication methods have more limited options to customize user-level and app-level authorization.

Read on to learn more about the authentication and authorization methods that are right for your project.

Jira and Confluence Cloud

This table explains the authentication and authorization options best suited for different types of Jira and Confluence development projects, listed roughly from least to most secure:


Development goal and stageAuthentication method (identity)Authorization (access)
Private use of REST APIs, such as testing or personal scripting.Basic authenticationThe app’s access level is the same as the user who generated the token. Administrators can’t revoke this access without disabling the user who generated the token.
Apps and integrations that require:
  • Use of product REST APIs
  • User-granted authorization (3LO)
  • Private use or limited Marketplace listing
3LO (OAuth 2.0)

Developers must register 3LO apps in the app management console. 3LO does not work with apps built with Connect.
App access level is set with OAuth scopes, and users grant access during the install flow. See the API reference documentation to determine the scopes required for each operation.
Apps and integrations that require some or all of these features, provided by the Atlassian Connect frameworks:
  • In-product UI modules
  • Product REST APIs or JS APIs
  • Impersonation or to act on behalf of individual users
  • Marketplace listing for commercial publication
JWT token (Bearer) with Connect

Setup is handled for you by Atlassian’s Connect frameworks.
Connect app access levels are set with Connect scopes for Jira and Confluence.
You can optionally add impersonation on top of this. See Jira user impersonation or Confluence user impersonation.

To learn how to implement these authentication and authorization methods, see these pages:

Are you building an integration that requires Atlassian APIs and product UI modules? Consider joining the Forge beta program. Forge is the new Atlassian-hosted development platform with built-in security measures to simplify authentication and keep user credentials out of your code.

Other cloud products

Authentication and authorization work a little differently for Bitbucket Cloud and other Atlassian products. Review the security information for the product you’d like to develop with for details:

See our full list of cloud products for more developer information.

Server and Data Center

Apps authenticating with a server or Data Center product use some of the same methods as cloud, but with a few key differences.

APIAuthentication method
Java APIsJava APIs typically need no special authentication beyond requesting the necessary permissions upon install.
REST APIsREST APIs can use OAuth 1.0a, which requires site admins to generate a private/public key pair and configure an incoming application link for your app. For personal use or scripting, you can also use basic authentication with a username and password.

Take a look at the security docs for each server product for more details:

See our full list of server products for more developer information.

Rate this page: