Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Clarification on 3LO App Usage for Jira Cloud Integrations

gopal guna
gopal guna September 4, 2025

Hello Team,

We are a vendor building an integration with Jira Cloud REST APIs for backup and restore purposes. We are currently planned to considering these two approaches for the Customer Onboarding

  1. Customers authorize through our distributed 3LO app. The app will get authorize on behalf of themselves and generate an access token

  2. Customers create their own 3LO app in Atlassian, then provide us the client ID and client secret to connect through their app.

Recently, we saw Atlassian’s Blog post: Building Secure and Scalable Integrations: Our Guidance for Third-Party Apps - Work Life by Atlassian, which mentions that apps collecting API tokens or using per-customer 3LO apps do not comply with Atlassian’s security requirements. The post also sets timelines (September 30, 2025 for compliant connectors and December 31, 2025 for migration).

Our question is:

Could you please clarify what specific onboarding methods will not be compliant under these requirements? For example, does this mean the per-customer 3LO app model will not be allowed, and only vendor-owned distributed apps remain supported?

We want to ensure our approach aligns with Atlassian’s requirements before releasing our integration.

Thank you,
Gopal G

Answer
Watch
Like Be the first to like this
2836 views

1 answer

0 votes
Trisha Griffis
Trisha Griffis
Contributor
September 8, 2025

Atlassian’s latest guidance on building secure and scalable integrations (June 2025) outlines clear expectations and key methods that are no longer compliant: 

What’s not compliant under Atlassian’s updated security policy

According to Atlassian, the following approaches violate their Acceptable Use Policy and Cloud App Security requirements:

  • Asking customers to generate and share API tokens with you, or storing those tokens.
  • Instructing customers to create per-customer or per-tenant 3LO apps and handing over client IDs/secrets.
  • These practices obscure the true origin of API requests and undermine security, traceability, and abuse prevention.

What is compliant and what you should be doing

  • Use a single, vendor-owned, distributable 3LO app managed through the Atlassian Developer Console.
  • List your app on the Atlassian Marketplace (recommended) to clearly identify it and ensure better visibility and trust.

These steps help maintain accountability and align with Atlassian’s requirements.

Key Dates to Know

September 30, 2025 Vendors must have compliant integrations deployed.

December 31, 2025 Customers must be migrated to compliant integrations; non-compliant setups may lose platform access.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security