Hi Bob. My name is Elaine. I recently took on the Confluence Ecosystem PM role having moved from a different area within Confluence Cloud. I’d be happy to help here.
Thank you for your catch on the APIs being labeled as “shipped” but still in Experimental. I’ve updated the Trello card in the roadmap with up-to-date status. Soon it will be graduated from Experimental to Shipped for good. We’re working on that.
Regarding “Apps cannot access this REST resource” in the dev doc, what we mean is that there should always be a user involved to be able to use these APIs. App context alone will not be sufficient for apps to use these APIs to prevent security vulnerability. Is this aligned with your expectation for how auth should work? If not, what’s your expectation?
In case anyone is interested, user context is provided by using:
- For Connect apps, OAuth 2.0 user impersonation (User impersonation for Connect apps).
- For non-Connect apps, basic auth with the user’s credentials, or 3LO (yet to be supported)
Hope this helps. Please let me know if you have further questions or concerns.
Elaine Hankins
Confluence Cloud PM for Ecosystem