Forge Security

Forge Security in Early 2026: What Changed and What It Means for Your Apps

Paul Pasler
#Forge#Security#Atlassian#Data Protection#OAuth2#AI#Rovo
Server rack with security graphic.

Atlassian regularly updates the security rules that Forge apps must follow. Early 2026 brought a notable wave of changes, most of them aimed at reducing risk for the organisations that use these apps. Here is what changed and what it means for you as an admin or decision-maker.

1. Safer App Deployments: Scoped API Tokens

When your team deploys or manages Forge apps, developer credentials are involved behind the scenes. Until recently, those credentials had broad access across your Atlassian environment, which posed a risk if they were ever accidentally exposed.

As of March 3, 2026, Forge CLI version 12.15.0 introduced scoped API tokens: credentials that are strictly limited to what is needed for app deployment and nothing more. If a scoped token were ever leaked, it could not be used to access your Jira projects, Confluence spaces, or any other Atlassian data.

For organisations with strict security or compliance requirements, this makes it easier to approve automated Forge workflows and reduces the risk profile of app development in your environment.

2. Stronger Rules for All Marketplace Apps

On February 20, 2026, Atlassian published its annual update to the Cloud App Security Requirements, the baseline every Forge app listed on the Marketplace must meet. The 2026 update tightened the rules in four areas.

AI and Rovo: New Guardrails for Agents

As Rovo agents become more capable, the risk of misuse grows too. Atlassian now requires apps to validate all inputs before passing them to a Rovo action, and to enforce permission checks before any admin-level operation is carried out.

In practice: a Rovo-powered app can no longer perform privileged actions without verifying that the user actually has the right to trigger them. This matters in environments where agents act on behalf of users across projects or spaces.

Your Data Stays Your Data

Three requirements were added to strengthen data protection:

Apps must now use Atlassian’s own secure framework for any third-party authentication, rather than handling it independently, which has historically been a source of inconsistency.

App logs are now explicitly prohibited from containing personal data, credentials, or other sensitive information. This directly reduces the risk of a data breach through logging, even an unintentional one.

And apps must enforce strict isolation between tenants: one organisation’s data must never be accessible to another. This is foundational for a shared cloud platform and is now an enforceable requirement.

Protection Against Common Attack Vectors

Apps must now be built to resist SQL injection when using Atlassian’s database features, and are prohibited from executing arbitrary system commands. Both are well-known attack vectors that could otherwise allow a malicious or compromised app to affect your environment beyond its intended scope.

Apps Must Run on Supported Software

Apps can no longer run on end-of-life software runtimes, versions that no longer receive security patches. This ensures that the underlying infrastructure of any Marketplace app stays current and covered.

3. Atlassian Government Cloud: Dedicated Security Requirements

Also announced on February 20, Atlassian introduced a dedicated set of security requirements for apps targeting Atlassian Government Cloud (AGC). These go beyond the standard Marketplace requirements and reflect the stricter compliance expectations in government and public sector environments. They take effect on March 31, 2026.

For most organisations, this is not immediately relevant. But if your organisation operates in a regulated or government context, it is worth reviewing the AGC security requirements when evaluating apps.

What This Means for You

These changes are technical requirements for developers, but they translate directly into a stronger security baseline for everyone using Forge apps in their Atlassian environment.

When these requirements are in place, you can be more confident that:

  • Developer credentials used in app deployments cannot be misused if exposed.
  • AI-powered Rovo actions enforce permissions before acting on your data.
  • Apps cannot accidentally log your users’ personal information.
  • Your organisation’s data stays isolated from other tenants.
  • Apps are built to resist common attack patterns and run on maintained, patched software.

If you are evaluating custom Forge apps, whether built internally or by a partner, the Cloud App Security Requirements are a useful reference. Any reputable Forge developer should be able to confirm compliance with these standards.

Staying Current

Atlassian updates its security requirements annually, but smaller platform changes happen throughout the year. For teams running custom Forge apps, working with a partner who monitors these updates as part of their service is the most reliable way to stay ahead of them.

← Back to Blog