Forge app: 401 Unauthorized (FAILURE_CLIENT_SCOPE_CHECK) when calling /ex/jira/${cloudId}/rest/api/3/project/search from webtrigger

Forge Forge Modules and Product Triggers
1

Hi team,

I’m building a multi-tenant Forge app where different Jira Cloud sites (orgs) install the app via a distribution link.

After installation, I receive and store each org’s cloudId and installerAccountId in my backend.

From my Node.js app, I call a Forge webtrigger function like this:

response = await api.asApp().requestJira(
  route`/ex/jira/${cloudId}/rest/api/3/project/search`
);

But this always returns:

401 Unauthorized
x-failure-category: FAILURE_CLIENT_SCOPE_CHECK

:white_check_mark: /rest/api/3/project/search (without /ex/jira/${cloudId}) works fine inside a tenant context.
:cross_mark: /ex/jira/${cloudId} fails even though:

  • The app is installed on that org

  • Scopes include: read:jira-work, read:jira-user, manage:jira-project, manage:jira-configuration, storage:app

  • I re-deployed and re-installed after updating scopes

  • I’m using Forge CLI 12.6.1

Is /ex/jira/${cloudId} supported for webtrigger functions (system-level context)?
If not, what’s the recommended approach to fetch Jira data across multiple installed orgs (multi-tenant setup) from a Forge webtrigger?

Thanks,
Satish Kumar

2

Hi Satish,

Any particular invocation of a Forge app can only access the tenant for that invocation.

It does mean that a multi-tenant application like yours is harder to implement, but that is the consequence of Atlassian protecting each tenant’s data - see “tenant safety” in our shared responsibility model.

If you want to access your own tenant from a webtrigger, omit /ex/jira/${cloudId} and use the path starting with /rest.

If you want to send data across tenants:

  • Ensure your app complies with the shared responsibility model and privacy requirements such as GDPR.
  • Access each tenant’s data from that tenant’s web-trigger. You still don’t need the /ex/jira/${cloudId} for this.
  • Send data from one web-trigger to another.

You can also consider implementing your app with Forge Remote but the security and privacy obligations still apply.

I wouldn’t consider any of these a recommended approach - please make sure what you are doing respects the tenants’ data first.

1 Like