Marketplace does allow for “just a listing”. However, I doubt it will be technically possible to do this with “no actual app on Jira side”.
If it’s not clear from the Jira Cloud REST API docs, your app cannot use the same password credentials as users have for login. So every user will need to create an API token. If you take this approach, then your app cannot access APIs that are marked as available only to Connect, Forge, or OAuth. For example, your app might need webhooks to do notifications, but notice what the documentation says:
Only Connect and OAuth 2.0 apps can register and manage webhooks.
Hence, my opening doubt about how this would be possible with “no actual app on Jira side”.
You are correct. The guidance about user privacy only applies to Connect, Forge, and OAuth. But, I’m not sure you could accomplish your goal without one of those.
I’m not aware that the endpoint in the linked post is part of a documented API. If it is, the path indicates it might be specific to Atlassian Connect apps, which would require an app on the Jira side, even if it contributes no UI to Jira.
Well, the use case of “mobile alerting” makes some general sense. But you haven’t really provided enough context to provide much meaningful guidance. For the questions you have asked, I doubt API tokens are going to work.
Our service used the Jira API to pull incidents and to update them.
So, my confusion is whether this is an actual “app” and whether “App stores personal data” applies. As description under this point it mentions:
Select ‘Yes’ if your app collects and stores any personal data (including, but not limited to: name, email address, picture, location, organization, job title, etc.). If you are only storing accountID (not username or user key) or do not store any data select ‘No’.
I hope this makes things clearer and thanks again.
I’m sorry if the reasoning of my response was not clear. You did not indicate how your integration would call the relevant Atlassian APIs. Specifically, the auth mechanism really matters. Let me try to untangle my response.
Yes, Atlassian considers all “API clients” to be “apps”.
Yes, the question applies. Of course, I cannot answer for you since that would be legal advice (for which I’m not qualified to provide) for code that I have not seen.
That said, there are a specific set of requirements for listing apps in Marketplace, which includes both privacy and security. You already referenced the privacy requirements, so you seem to be sufficiently familiar with those. But I think you may have missed the security requirements (which also include a section called “privacy” as follows):
10. An application must not collect or store credentials belonging to Atlassian user accounts such as user passwords or user API tokens. If an app is currently requesting or storing Atlassian API tokens in order to access a REST API that does not currently support authentication from apps, the app developer can notify Atlassian and receive a temporary waiver for this requirement while Atlassian makes the proper changes to our API to support authenticated requests from apps. Once the API supports approved authentication methods, the app developer will be given a reasonable amount of time to migrate away from using Atlassian API tokens. This requirement does not prohibit apps from storing credentials used to access non-Atlassian applications.
This clause effectively precludes apps from being listed in Marketplace if they use API Tokens. More precisely, for the APIs that your client would use to “retrieve new tickets and also update them”, those are available “authentication from apps” (ie Forge, Connect, and OAuth 2).
Furthermore, this is why the privacy APIs don’t work with API tokens, as you originally reported.
To summarize (as best as I can):
You can list on Marketplace via “My app isn’t directly installable” but not if the app uses API Tokens for the most common API calls which are covered by OAuth.
Anything listed on Marketplace is considered “an app”; hence, the privacy question always applies.
In the combination of 1 & 2, if your app does hold personal data (aka PD), then it must use something other than API tokens to auth to the privacy reporting APIs.
Thanks a lot again. This helps indeed. Our service uses the REST API with an API token (as we have seen in the documentation). So, I will notify Atlassian about this (as you mentioned unter Privacy 10.) and then we will go from there, i.e. change the authentication when available.
Thanks again for your help.