Guidelines for requesting access to email address

Hey guys, does anyone know how long it takes to evaluate a request for access to email address? We submitted our request almost a month ago and we still don’t have any update.

Hello @SofiaKargioti,

What you experience is collapse of developers/vendors support by Atlassian, that started in 2018. A few months ago Atlassian promised to address the problem but nothing changed, unfortunately.

Keep making noise and you will hopefully get some help.

Good luck.
Jack

Hey @jack, thanks for the update! I’ll do my best and I hope to get some help soon.

Hi, I want some clarification.
I have a 3LO app (Not connected app), and I want to get the email address of users in user object of Search jira issue API response.

  1. After getting application approved/ whitelisted, can we get email address value populated irrespective of user selection of email address visibility?
  2. Or do we need to use Email API only? If yes, then do we need to create a separate 3LO app? or we can use same app to access Email API and fetching issues also?

Can I get some clarity here on whether or not the email API is available to 3LO apps? The comments and guidance from Atlassian Staff seem to explicitly contradict what is documented publicly about the email API.

There are comments indicating it is only for connect apps, that you need a connect app id, that you should use the /me route to get email for authorized users who authorized from a 3LO app.

However what is mentioned here indicates this is not the case https://developer.atlassian.com/cloud/jira/platform/profile-visibility/#profile-visibility-overview

Under 3LO apps:

  • Email address: Given that some apps need email addresses for key functionality, we provide an Email API that provides access to email addresses regardless of user consent. The Email API is a public API but only apps that have been approved and added to your allowlist are permitted to use it. To request access, see Requesting access to the Email API below.

I found the (Confluence) documentation to be not very clear about how to use this API, so I did a bit of investigation.

I found that accessing the e-mail API is possible for the following kinds of requests:

It is not accessible for the following kind of requests, resulting in a 403:

  • Direct requests to the REST API through the browser (authentication by cookie)
  • Requests from a Connect app iframe using AP.request().

For the e-mail API to be accessible, the access_email_addresses scope has to be present in the app descriptor. According to the documentation, the app has to be approved by Atlassian to be allowed to use this scope. I have not tested this. What I have tested however is that the e-mail API works for approved apps that are manually installed using the development mode. This suggests that Atlassian approves apps by app key and you can try out the e-mail API by using the app key of any app in the marketplace that is approved to access e-mail addresses.

I also found out that the email field is empty in the User API and User Search API even if the app has permission to access e-mail addresses (unless a particular user has made their e-mail address public). To access e-mail addresses, the specific e-mail APIs have to be used.

The e-mail API can only be used to access users that have been added or invited to the particular Confluence instance. Since inviting users is only possible by e-mail as far as I know, it seems to me that this API cannot be abused to find out the e-mail address of a user if you don’t know it already.

5 Likes

@akassab Thanks for the detailed explanation. Now looks like the mentioned link(Jira Service Management) isn’t working anymore.

Good catch, @TribesAIIntegrations! We’ve swapped the service desk for Email API tickets.
Please use this link instead: Jira Service Management
I’ve also corrected the link in the original @akassab’s post above.

2 Likes

Hey @akassab
We have developed a forge app that requires email access to connect our web app to Jira and map the users across platforms. But in the raise ticket section, I could not find an option to enroll a Forge app.
Is this how it is supposed to be? Any clarification would be priceless.

Thanks.

3 Likes

I really don’t understand why you do this. Why doesn’t the interface of cloud API allow you to access users’ mail, even the system administrator with the greatest permission!!
This email is generally used to associate with other internal systems, because other information can’t be associated except the emailAddres!
You force everyone to use other methods you provide!
Let’s give up the JIRA cloud API
Scoff at your current practice and your behavior that has not been adjusted so far!

3 Likes

I second this. I have been able to write a simple script to validate that our off-boarded users no longer have accounts lingering in various platforms because they all furnish email - the universal ID. However, to accomplish this task on Atlassian, I must:

  • Draft a privacy policy
  • Draft a customer terms of use agreement
  • Signal whether or not the app collects and stores personal data

It makes no sense to me that I have to go through these steps for an internal script that will never, ever be submitted for installation anywhere.

Utter nonsense.

1 Like

Hi,

I have submmited AMKTHELP-40168 but there is no response :frowning:

Thanks,

I got an automated message on my request with the following

If your use case is purely internal, there is an app key that we have added to the allow list which will permit you to access the Email API methods. The app key for Jira Cloud apps: internal-email-api-developermode

What does this mean exactly? I tried setting the key in the app descriptor to this value but that needs to be unique from what I understand.

@akassab @candid @Andrew_Golokha I am developing an internal application for internal organization users and that application will not be published to the marketplace. I am sending request to /rest/api/3/user?accountId= using admin API token (generated from here Atlassian account).

Apps using admin installation and consent flows (i.e. an admin has installed and consented on behalf of end users) have been approved to access the email API.

I am unable to get users email address. How do I consent on behalf of end users to get their email addresses as an admin? Can you please let me know where is that option? Thank you.

P.s. I tried adding the connect scope ACCESS_EMAIL_ADDRESSES but then it gives me the error Installation failed. The app specifies the ACCESS_EMAIL_ADDRESSES scope, but it is not currently approved for such access..

1 Like

:wave: all,

To clarify some of the questions about access to email address for OAuth 2.0 (3LO apps), I just posted this: OAuth 2.0 (3LO) apps don't have access to restricted email addresses

Caterina

1 Like

Hello, I reached out to support but they rejected our request because we use a 3LO app. But in this post it doesn’t mention that 3LO apps are not permitted to use the Email endpoints. They mentioned just using the /me endpoint but we specifically need other Employee’s email addresses for employee matching. We have one JIRA Admin user that authenticates our app for our client and we use that session to pull/push the data we need. How do we go about accessing those emails in this scenario?

Edit:
I just noticed the post above mine, so basically the response to needing emails is:
“You don’t need access to emails because you can already get your own email and you get non-personal information from other accounts which does not include emails.”?

Hi @AlexHofer,

It is true that a 3LO app doesn’t have access to the email endpoint. Unless the email is publicly visible, only an app authorized by the same user running it has access to the email field.

Caterina

Hello @akassab

Do you have any updates regarding the notification service? (API that allows addons to send notifications to users without needing access to their email address?)

Back in July, we rolled out a new service desk for developers and marketplace:

Sorry that we forgot to update this thread with the new location:
https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/110/create/555

While we’re still open to questions about this API and other aspects of privacy, I’ll ask the community to create new topics. I’m locking this thread so (hopefully) people find this final post and know where to go.

1 Like