Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Restricted external facing JSM spaces without exposing account info

Robert
Robert
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 9, 2026

I have an external facing JSM Space that is required to have external 'customers' access, at the very least, communicate via email / create tickets via email.  Ranges from incoming to former employees, partners, customers, etc.

However, one thing I've noticed is that even if the space is restricted, open, I can still use the customer session token with a portal-only account and gather info from my org like users, account IDs, usernames, emails, and easily gather the metadata from the forms, site, etc.  

Not too concerned with the field data, but being able to get the user info is a bit worrisome using endpoints

/rest/servicedesk/1/customer/portal

The only method I've found to stop this is the toggle the "Allow customers to get support in JSM" under Portal-only customers in site settings.  However, this will prevent our customers from emailing in to create tickets.  

Is there a built-in method to restrict this while still allowing people to email to create tickets and communicate?  or are the only options to close off customer support or use an addon like JEHMC?  

Answer
Watch
Like Be the first to like this
82 views

1 answer

1 accepted

0 votes
Answer accepted
Olha Yevdokymova_SaaSJet
Olha Yevdokymova_SaaSJet
Atlassian Partner
June 9, 2026

Hi @Robert 

In short: on JSM Cloud there is currently no native setting that allows email-based customer support while completely removing authenticated customer portal API access. The choice is generally between allowing portal customers, disabling customer support access entirely, or implementing an alternative email-ingestion approach outside the standard JSM customer model.

My team at SaaSJet built Smart Forms for Jira as an alternative intake channel for teams willing to replace jsm request with something more flexible.

The way it works: external users submit requests via a public Smart Form link or embed forms on website or Confluence.No Atlassian account needed to submit request, no portal session is issued, no exposure to /customer/portal. Submissions create JSM issues directly with mapped fields, so your agents' workflow in JSM stays exactly the same.

Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Management
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security