Call REST own endpoints in Confluence Cloud App

Hi all,

I’m looking for a solution or best practice on how to call your own custom REST endpoints contained within an Connect-App from JavaScript.

Let’s imagine the App BaseURL is, and we defined an endpoint /get-user-preferences. Any calls to that endpoint should be made with a valid JWT token so we can authenticate the current user.

Our Confluence Host URL could be

On a general page we can use AP.request() to call the Confluence APIs. But what about our own ConnectApp APIs? That method will always prepend the Confluence Host URL so this API seems not to be able to make secure requests to our App.

Is there any other method or API to achieve this? I’ve also searched if there is a special Cloud module for this but could not find any.

Thanks for any suggestions!

1 Like

Hi Lukas,

You should only use AP.request to call Atlassian REST APIs. To call your own REST API (or any other one) use the standard way of sending out a request (E.g. fetch, Axios, or jQuery ajax).

If you’re talking to your own Connect app you need to make sure to include the JWT token that you can get from AP.context.getToken (or that you rendered into your HTML) in your request.

You could have a look at the Atlassian Spring Boot Connect samples for examples:

              url: "data",
              beforeSend: function (request) {
                  var token = $('meta[name="token"]').attr("content");
                  request.setRequestHeader("Authorization", "JWT " + token);
            }).done(function(data) {
               alert(JSON.stringify(data, null, '\t'));



Amazing Sven, thanks. This is what I was looking for.

console.log(“JWT token string”, token);

Documented here

Getting the token server side and storing the token on the DOM can be an alternative, but I guess this approach this is more secure.
Do we know where/how Atlassian actually stores this token client side?

The token retrieved via AP.context.getToken() allows context information to be securely transferred to your app’s server. This is explained in the cacheable app iframes guide. Jira/Confluence generates this token on an as needed basis server side. When your app calls AP.context.getToken(), the Jira/Confluence front end code checks if there is a valid JWT cached in the browser, but otherwise will need to make a round trip to the backend to get a valid JWT. There should be no need to store the JWT in your app iframe’s DOM. These JWTs have a validity period of 15 minutes.