Rate this page:
This overview explains how to authenticate and authorize apps to work with Atlassian products. There are two main factors that determine how an app can work securely with an Atlassian product:
The best way to authenticate depends on the type of app you are building and the stage of development you are at. Read on to learn more about the authentication and authorization methods that are right for your project.
Forge, Atlassian's latest app development platform, handles authentication for your app using managed APIs and OAuth 2.0 protocols. To find out if Forge is right for your project, see the comparison of cloud development options and the Forge security overview.
If you are building a Jira or Confluence app outside of Forge, the table below compares the authentication and authorization methods available for other types of development projects:
|Development goal||Authentication method (identity)||Authorization (access)|
|Private use of REST APIs, such as testing or personal scripting.||Basic authentication||The app’s access level is the same as the user who generated the token. Administrators can’t revoke this access without disabling the user who generated the token.|
|Integrations that require: ||OAuth 2.0 (3L0)|
Developers must register OAuth 2.0 (3L0) apps in the developer console. OAuth 2.0 (3L0) does not work with Atlassian Connect apps.
|App access level is set with OAuth scopes, and users grant access during the install flow. See the API reference documentation to determine the scopes required for each operation.|
|Apps that require some or all of these features, provided by the Atlassian Connect frameworks: ||JWT token (Bearer) with Atlassian Connect |
Setup is handled for you by the Connect frameworks.
|Connect app access levels are set with Connect scopes for Jira and Confluence.
You can optionally add impersonation on top of this. See Jira user impersonation or Confluence user impersonation.
To learn how to implement these authentication and authorization methods, see these pages:
Authentication and authorization work a little differently for Bitbucket Cloud and other Atlassian products. Review the security information for the product you’d like to develop with for details:
See our full list of cloud products for more developer information.
Apps authenticating with a server or Data Center product use some of the same methods as cloud, but with a few key differences.
|Java APIs||Java APIs typically need no special authentication beyond requesting the necessary permissions upon install.|
|REST APIs||REST APIs can use OAuth 1.0a, which requires site admins to generate a private/public key pair and configure an incoming application link for your app. For personal use or scripting, you can also use basic authentication with a username and password.|
Take a look at the security docs for each server product for more details:
See our full list of server products for more developer information.
Rate this page: