Hello Atlassian Team,
We are a vendor building an integration with Jira Cloud REST APIs for backup and restore purposes. Our solution is offered in two deployment models:
SaaS offering – where customers authorize through our distributed vendor-owned 3LO app, which authorizes on their behalf and generates an access token.
On-premises software – where the application is installed in the customer’s environment. In this model, customers have typically created their own 3LO app in Atlassian and provided us the client ID and client secret, which we then use to connect through their app and generate an access token.
Recently, we reviewed Atlassian’s blog post: https://www.atlassian.com/blog/developer/building-secure-and-scalable-integrations-our-guidance-for-third-party-apps which mentions that:
- Apps collecting personal API tokens or using per-customer 3LO apps do not comply with Atlassian’s security requirements.
- These practices make it harder for Atlassian to trace the true origin of API requests, which reduces security and accountability.
- Atlassian has also set timelines: by September 30, 2025, vendors should release compliant connectors, and by December 31, 2025, customers must be migrated. After this, apps operating outside these standards may no longer be supported.
Our question is:
Could you please clarify how these requirements apply across both SaaS and on-premises deployment models? Specifically:
- Is the per-customer 3LO app model (where customers register their own OAuth app and share credentials) considered non-compliant for on-premises deployments?
- If so, what is the recommended approach for vendors who need to support customers running an on-premises version of the software?
We want to ensure our onboarding strategy fully complies with Atlassian’s requirements for both SaaS and on-premises customers before releasing our integration.
Thank you,
Gopal G
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.