Apply restrictions to custom content via REST API as app / add-on

Hi, I’m trying to call Confluence Cloud REST API as an app / add-on (JWT’s iss is the app key), to create a custom content with restrictions applied.

The custom content is in the app descriptor with apiSupport, the app scope includes WRITE and I’ve granted the app user the permission to Add/Delete Restricions in Space Settings. The payload to POST /wiki/rest/api/content is something like this:

      type: <custom content key>,
      title: <title>
      space: {
        key: <space key>
      body: {
        raw: {
          value: <body raw value>,
          representation: 'raw'
      restrictions: {
        update: {
          restrictions: {
            user: [
              {accountId: '<app user accountId>'},
              {accountId: '<user accountId>'}

However, I keep getting HTTP 403, with the error: com.atlassian.confluence.api.service.exceptions.PermissionException: Not enough permissions to alter ContentRestrictions on a content with ContentId unless I remove restrictions in the payload, does anyone has an idea what I did wrong or there is a bug on the REST API?

I’ve spent a huge amount of time on this so I would really appreciate any tips / helps / clues / guides, thank you!


Turned out the 403 was a mismatch on how to include the JWT in request header, the prefix to call the REST API as app is JWT instead of Bearer when using impersonation. To add to the confusion, I was on a Confluence Cloud instance that allow anonymous access, among couple of other internal and external things.

Tips: If anyone runs into the same issue, verify your requests with /rest/api/user/current to who is calling the REST API. If you get the error ContentRestriction must have valid non empty map of subject types to restriction subjects specified, check the structure of objects in the user array.

Side note: notice the examples are still using Jira in a Confluence doc page, perhaps time to update them.