Build and test your Forge app

• Map key use cases and user flows (entry points, permissions, roles)
• Select Forge modules/extension points (e.g., Jira issue panel, Confluence byline, custom UI)
• Design UI with Atlassian Design System principles
• Ensure accessibility compliance

Getting architecture and UX right early avoids expensive rework. Aligning with Atlassian's design system makes your app feel native, which directly impacts adoption and review approval.

• User interface
• Atlassian Design
• Atlaskit

• Create and scaffold the app using forge create
• Configure app manifest (modules, permissions)
• Implement business logic and features
• Configure auth scopes/permissions (principle of least privilege)
• Use minimal OAuth scopes and document why each is needed

Minimal scopes and a clean manifest aren't just best practice; they directly affect your security review outcome and customer trust.

• Manage your apps

• Apply secure coding practices (validation, encoding, secret handling)
• Document data access, retention, and residency considerations
• Review security requirements and guidelines
• Plan for security questionnaires and trust programs

Security issues discovered during review will block your listing. Building security in from the start is far cheaper than retrofitting after a failed review or, worse, a customer incident.

• Build customer trust in cloud
• Security guidelines for Marketplace Partners
• Security guidelines for Marketplace apps
• Security requirements for cloud apps
• Ecoscanner
• Pre-launch trust checklist: How to make sure your app is trustworthy before launching on the Atlassian Marketplace
• Data privacy guidelines for developers
• Understand data residency
• Standard contractual clauses (SCCs) and cross-border transfers

• Ensure reasonable response times
• Implement efficient API usage patterns
• Test performance under load
• Monitor and optimize resource consumption

Slow apps get uninstalled. Inefficient API usage can also hit Forge rate limits and quotas, causing failures at scale that didn't show up in development.

• Enable sharing for your app in the developer console
• Write unit and integration tests for critical paths
• Manual QA on clean dev/test sites across supported products/contexts
• Verify uninstall, reinstall, and upgrade flows
• Cross-browser testing for any custom UI
• Test with different user permission levels

Reviewers test your app on a clean site, so make sure install, uninstall, and upgrade flows work correctly outside your development environment.

• Distribute your apps

• Review Marketplace security bug bounty program
• Consider marketplace penetration testing program
• Review Runs on Atlassian and Architected for Atlassian programs
• Plan for ongoing vulnerability management

These programs aren't just checkboxes; they're signals that enterprise customers look for when evaluating apps. Participating early can differentiate your app in competitive categories.

• Marketplace Security Bug Bounty Program
• Marketplace Penetration Testing Program
• Runs on Atlassian
• Vulnerability management for Marketplace apps
• App security incident management guidelines for Marketplace Partners