Product REST APIs
Async events API
Fetch API


You can use requestConfluence to make a request to the Confluence REST API from within your Forge app. The client includes an Authorization header based on the context-bound fetch call.

To use requestConfluence, import the Forge API package in your app:

import api, { route } from '@forge/api';

To check the status of a request, use status as shown below:

const result = await api
      path[, options]
const status = result.status;

Method signature

// Authenticated
api.[asApp | asUser]().requestConfluence(path[, options]) => Promise<Response>

// Unauthenticated (used for operations that do not support OAuth 2.0)
api.requestConfluence(path[, options]) => Promise<Response>

When making an authenticated API call, you can specify whether to use the app (asApp) or its user (asUser) as the context:


Use this method to call an Atlassian API as the app, using the app user. If your app has all the required permissions, the request will work regardless of who uses the app.

When using asApp, you can use the Authorize API to verify user permissions before making the request.


Use this method to call an Atlassian API as the user of the app.

If the user initiating the request has not granted permission to the app, the request is made without a valid Authorization header.

If the API returns a 401 and there isn't a valid Authorization header, then an Error is thrown.

  • If this error isn't caught, the user is prompted to grant access to the app.
  • If the user grants access, the app is re-initialized.

Note: This context method is only available in modules that support the UI kit.

Path construction (route)

You must use the route tagged template function to construct the path that's passed to the product fetch APIs. route blocks unsafe interpolated parameters in the path and encodes the query parameters using encodeURIComponent. This provides protection against security vulnerabilities, such as path traversal and query string injection.


import { route } from '@forge/api';

// With no parameters

// With parameter: e.g. '/rest/api/3/issue/ISSUE-1'

// With query parameters: e.g. '/rest/api/3/issue/ISSUE-1?fields=summary'

// With more complex query parameters: e.g. '/rest/api/3/issue/ISSUE-1?fields=summary' or '/rest/api/3/issue/ISSUE-1'
const queryParams = new URLSearchParams({
  ...(filterFields ? { fields: fieldsToDisplay } : {}),

When route is called, the Forge runtime also checks for possible path manipulation attempts (for example, issueKey or repo_slug coming from the user as ../../../evil_api_call), escaping or blocking as needed.

If the URL is constructed separately, the runtime might throw an exception for this as a false positive. This is because the runtime has no way of knowing which parts might have been manipulated by the user.

You have the option to bypass this requirement by using assumeTrustedRoute from @forge/api. However, you should only do this if absolutely needed because this puts you at risk of security vulnerabilities if used without a validated or trusted route.


Authenticated example

Make a request to the /wiki/rest/api/content resource on the Confluence site where the app is installed:

api.[asApp | asUser]().requestConfluence(route`/wiki/rest/api/content`);

Unauthenticated example

Make a request to the /wiki/rest/api/audit resource on the Confluence site where the app is installed, using basic authentication:

api.requestConfluence(route`/wiki/rest/api/audit`, {
  headers: {
    'Authorization': 'Basic <base64 token>'

Rate this page: