Guide on how to resolve breaking changes for Attlassian connect lifecycle


I have an app posted on the marketplace which was affected by the:
Action Required - Atlassian Connect installation lifecycle security improvements security improvement.

I am using Jira Cloud with Atlassian Connect Express and I followed the steps in the guide related to Express apps, but I am not sure that I need to change something in my code as well.

The thing is I am not using the installed hook In my app and on uninstalled I am only removing the user from the database. (I am using the addon.authenticate() function from express to let the app access sensitive routes)/

Do I need to change something else in my code as well besides this?

I changed addon.authentificate to addon.authenticateInstall() on /uninstalled endpoint and addon.checkValidToken() on protected routes which render handlebars templates. I don’t have a /install hook declared.


Hi, if your app does not require install hook, I think you can just disable jwt auth from your descriptor. Sounds like you don’t need the sharedSecret which is being sent to your app during install hook callback.

    "key": "",
    "name": "your app name",
    ... , 
    "authentication": {
        "type": "none"



But I think I need the jwt because I use it when I send a request to our servers for a user to generate an API key with us which is stored as a user property in jira.


Hi, based on your comment, I think you are already using pre-defined /install hook which is built in ACE framework by default.
This install hook will take care of this breaking change for you, and there is nothing else you need to change apart from changing /uninstalled to use addon.authenticateInstall() which you have already mentioned. Sorry for the confusion.