Guidelines for requesting access to email address

Hi @akassab could you, or someone else from your team, tell me approximately how long it takes for a request to be evaluated?

Hey @akassab when can we expect to get email address access? As we have submitted our application 2 days ago and ticket number is : DEVHELP-5718

Thanks in advance.

Hey guys, does anyone know how long it takes to evaluate a request for access to email address? We submitted our request almost a month ago and we still don’t have any update.

Hello @SofiaKargioti,

What you experience is collapse of developers/vendors support by Atlassian, that started in 2018. A few months ago Atlassian promised to address the problem but nothing changed, unfortunately.

Keep making noise and you will hopefully get some help.

Good luck.
Jack

Hey @jack, thanks for the update! I’ll do my best and I hope to get some help soon.

Hi, I want some clarification.
I have a 3LO app (Not connected app), and I want to get the email address of users in user object of Search jira issue API response.

  1. After getting application approved/ whitelisted, can we get email address value populated irrespective of user selection of email address visibility?
  2. Or do we need to use Email API only? If yes, then do we need to create a separate 3LO app? or we can use same app to access Email API and fetching issues also?

Can I get some clarity here on whether or not the email API is available to 3LO apps? The comments and guidance from Atlassian Staff seem to explicitly contradict what is documented publicly about the email API.

There are comments indicating it is only for connect apps, that you need a connect app id, that you should use the /me route to get email for authorized users who authorized from a 3LO app.

However what is mentioned here indicates this is not the case https://developer.atlassian.com/cloud/jira/platform/profile-visibility/#profile-visibility-overview

Under 3LO apps:

  • Email address: Given that some apps need email addresses for key functionality, we provide an Email API that provides access to email addresses regardless of user consent. The Email API is a public API but only apps that have been approved and added to your allowlist are permitted to use it. To request access, see Requesting access to the Email API below.

I found the (Confluence) documentation to be not very clear about how to use this API, so I did a bit of investigation.

I found that accessing the e-mail API is possible for the following kinds of requests:

It is not accessible for the following kind of requests, resulting in a 403:

  • Direct requests to the REST API through the browser (authentication by cookie)
  • Requests from a Connect app iframe using AP.request().

For the e-mail API to be accessible, the access_email_addresses scope has to be present in the app descriptor. According to the documentation, the app has to be approved by Atlassian to be allowed to use this scope. I have not tested this. What I have tested however is that the e-mail API works for approved apps that are manually installed using the development mode. This suggests that Atlassian approves apps by app key and you can try out the e-mail API by using the app key of any app in the marketplace that is approved to access e-mail addresses.

I also found out that the email field is empty in the User API and User Search API even if the app has permission to access e-mail addresses (unless a particular user has made their e-mail address public). To access e-mail addresses, the specific e-mail APIs have to be used.

The e-mail API can only be used to access users that have been added or invited to the particular Confluence instance. Since inviting users is only possible by e-mail as far as I know, it seems to me that this API cannot be abused to find out the e-mail address of a user if you don’t know it already.

4 Likes

@akassab Thanks for the detailed explanation. Now looks like the mentioned link(https://ecosystem.atlassian.net/servicedesk/customer/portal/14/create/284) isn’t working anymore.

Good catch, @TribesAIIntegrations! We’ve swapped the service desk for Email API tickets.
Please use this link instead: https://ecosystem.atlassian.net/servicedesk/customer/portal/9/group/30/create/424
I’ve also corrected the link in the original @akassab’s post above.

2 Likes

Hey @akassab
We have developed a forge app that requires email access to connect our web app to Jira and map the users across platforms. But in the raise ticket section, I could not find an option to enroll a Forge app.
Is this how it is supposed to be? Any clarification would be priceless.

Thanks.

2 Likes

I really don’t understand why you do this. Why doesn’t the interface of cloud API allow you to access users’ mail, even the system administrator with the greatest permission!!
This email is generally used to associate with other internal systems, because other information can’t be associated except the emailAddres!
You force everyone to use other methods you provide!
Let’s give up the JIRA cloud API
Scoff at your current practice and your behavior that has not been adjusted so far!

I second this. I have been able to write a simple script to validate that our off-boarded users no longer have accounts lingering in various platforms because they all furnish email - the universal ID. However, to accomplish this task on Atlassian, I must:

  • Draft a privacy policy
  • Draft a customer terms of use agreement
  • Signal whether or not the app collects and stores personal data

It makes no sense to me that I have to go through these steps for an internal script that will never, ever be submitted for installation anywhere.

Utter nonsense.