App context security and tenant isolation guidance

Thanks for the recent docs update regarding App context security and the resp. shared responsibility model contract.

I’m surprised about the missing security guarantees for cloudId though, which seems to subvert tenant isolation at the site level when integrating external resources - here’s an example payload from useProductContext():

  "accountId": "9f80f11f-...",
  "cloudId": "0c3130ff-...",
  "contentId": "703102977",
  "localId": "625d12a6-...",
  "spaceKey": "DEV",
  "installContext": "ari:cloud:confluence::site/0c3130ff-..."

Could you please clarify why cloudId is not “guaranteed to be secure” as well, and provide guidance how to implement tenant isolation per installation context without it?

Many thanks,


Case in point, I’ve just followed up on How to retrieve the actual Jira instance I am in? - #11 by sopel with another option based on the GraphQL Gateway’s tenantContexts query, which incidentally treats the cloudId as, well, the tenant context, suggesting it to be “guaranteed to be secure” for tenant isolation?

Hi @sopel,

Sorry for the delayed reply. While cloudId is currently not considered secure and unable to be tampered with, we do consider the installContext property to be secure. The installContext is an identifier which includes the installed product and cloudId within it.

I will update the document with this information and also look into exposing the cloudId or installContext securely in Custom UI as well.