Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

how to access auth token in forge app resolver?

ankit jangid
ankit jangid July 23, 2025

I have carefully reviewed the Forge documentation and understand that user/app authentication tokens are accessible within Forge remote backends. However, I am seeking to access an authentication token directly within a resolver, thereby eliminating the need for an external backend solely for token retrieval. While I am aware that asApp() and asUser() suffice for making calls to product APIs without explicit authentication tokens, my objective is to obtain a bearer authentication token to call other Atlassian APIs. Is there a method to access such a bearer authentication token within a Forge app?

Answer
Watch
Like Be the first to like this
134 views

2 answers

1 vote
Tim Pettersen
Tim Pettersen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2025

@Lucas Modzelewski _Lumo_ is correct — you can't extract the token used by `asApp()` or `asUser()`.

@ankit jangid may I ask which other Atlassian APIs you're attempting to call?

If the API does not support OAuth scopes, you can instead:

- generate a personal access token and set it as a Forge environment variable (use the `--encrypt` flag given it's a credential)

- override the `Authorization` header on the request to use the access token

However this will mean the app will authenticate with the API as the user you generated the access token for.

Please also note that this is also only suitable for apps that you're deploying for use in your own organisation. Our Security Requirements prohibit Marketplace Apps from soliciting API tokens from users. 

Hope this helps!

Tim

View More Comments
ankit jangid
ankit jangid July 24, 2025

  @Tim Pettersen Thank you for the detailed response. I am currently developing a Forge app for Confluence that subscribes to the avi:confluence:created:comment event. My goal is to automatically convert the Confluence page, where a comment containing a specific keyword was made, into a PDF and then upload that PDF as an attachment to the same page. This effectively creates a snapshot of the page.

I initially attempted to use standard Confluence APIs to retrieve the page content in HTML format. However, I encountered an issue where the HTML returned did not include the rendered content of macros, making it impossible to generate a complete and accurate PDF from that output.

As a workaround, I am now attempting to utilize the internal Confluence API: ${baseUrl}/spaces/flyingpdf/pdfpageexport.action?pageId=${pageId}. This API is used by Confluence itself for PDF page exports and reliably captures all page content, including macros. To successfully invoke this specific internal API, I understand that a user bearer token is required.

While this approach successfully allows me to convert a Confluence page to PDF, it currently necessitates obtaining an authentication token directly from users, which is something I aim to avoid.

Could you please provide guidance on how I can obtain the complete Confluence page content, including all rendered macros, in HTML format via an official Confluence API? If I can access this comprehensive HTML, I can then generate the PDF programmatically, thereby eliminating the need for the internal flyingpdf API and the requirement to solicit authentication tokens from users.

Like
Reply
0 votes
Lucas Modzelewski _Lumo_
Lucas Modzelewski _Lumo_
Atlassian Partner
July 23, 2025

You can’t directly access the user’s OAuth/JWT/bearer token in Forge resolvers (for security reasons) - that’s by design in the Forge platform.

The actual token is never exposed to your app code or frontend, so it can't be leaked or misused.

View More Comments
Lucas Modzelewski _Lumo_
Lucas Modzelewski _Lumo_
Atlassian Partner
July 24, 2025

Note: When exporting a page with macros to PDF, not all macros are supported in PDF export - be sure to check if the ones you need have correct data in export.

Also check this discussion: https://community.developer.atlassian.com/t/retrieve-the-html-content-from-a-confluence-page-to-display-it-exactly-as-it-appears-in-confluence/81166 

__
PS: If you ever get stuck with multiple attachments, I’ve built an app to help you remove attachments that aren’t used in the content:  https://marketplace.atlassian.com/apps/1236523/attachments-cleanup-assistant?hosting=cloud&tab=overview 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security