Rate this page:
This overview explains how developers authenticate apps and integrations with Atlassian and how to authorize apps to do things in our products.
There are two main factors that determine how an app can work securely with an Atlassian product:
The best way to authenticate depends on the type of integration you are building and the stage of development you are at. Additionally, some authentication methods have more limited options to customize user-level and app-level authorization.
Read on to learn more about the authentication and authorization methods that are right for your project.
This table explains the authentication and authorization options best suited for different types of Jira and Confluence development projects, listed roughly from least to most secure:
|Development goal and stage||Authentication method (identity)||Authorization (access)|
|Private use of REST APIs, such as testing or personal scripting.||Basic authentication||The app’s access level is the same as the user who generated the token. Administrators can’t revoke this access without disabling the user who generated the token.|
|Apps and integrations that require: ||3LO (OAuth 2.0)|
Developers must register 3LO apps in the app management console. 3LO does not work with apps built with Connect.
|App access level is set with OAuth scopes, and users grant access during the install flow. See the API reference documentation to determine the scopes required for each operation.|
|Apps and integrations that require some or all of these features, provided by the Atlassian Connect frameworks: ||JWT token (Bearer) with Connect |
Setup is handled for you by Atlassian’s Connect frameworks.
|Connect app access levels are set with Connect scopes for Jira and Confluence.
You can optionally add impersonation on top of this. See Jira user impersonation or Confluence user impersonation.
To learn how to implement these authentication and authorization methods, see these pages:
Are you building an integration that requires Atlassian APIs and product UI modules? Consider joining the Forge beta program. Forge is the new Atlassian-hosted development platform with built-in security measures to simplify authentication and keep user credentials out of your code.
Authentication and authorization work a little differently for Bitbucket Cloud and other Atlassian products. Review the security information for the product you’d like to develop with for details:
See our full list of cloud products for more developer information.
Apps authenticating with a server or Data Center product use some of the same methods as cloud, but with a few key differences.
|Java APIs||Java APIs typically need no special authentication beyond requesting the necessary permissions upon install.|
|REST APIs||REST APIs can use OAuth 1.0a, which requires site admins to generate a private/public key pair and configure an incoming application link for your app. For personal use or scripting, you can also use basic authentication with a username and password.|
Take a look at the security docs for each server product for more details:
See our full list of server products for more developer information.
Rate this page: