Clarification on 3LO App Usage for Jira Cloud Integrations

Hello Team,

We are a vendor building an integration with Jira Cloud REST APIs for backup and restore purposes. We are currently planned to considering these two approaches for the Customer Onboarding

1. Customers authorize through our distributed 3LO app. The app will get authorize on behalf of themselves and generate an access token

2. Customers create their own 3LO app in Atlassian, then provide us the client ID and client secret to connect through their app.

Recently, we saw Atlassian’s Blog post: Building Secure and Scalable Integrations: Our Guidance for Third-Party Apps - Work Life by Atlassian, which mentions that apps collecting API tokens or using per-customer 3LO apps do not comply with Atlassian’s security requirements. The post also sets timelines (September 30, 2025 for compliant connectors and December 31, 2025 for migration).

Our question is:

Could you please clarify what specific onboarding methods will not be compliant under these requirements? For example, does this mean the per-customer 3LO app model will not be allowed, and only vendor-owned distributed apps remain supported?

We want to ensure our approach aligns with Atlassian’s requirements before releasing our integration.

Thank you,
Gopal G