Mutliple OAuth Flow Support in JIRA Cloud for 3rd Party Apps

From the documentation, it looks like OAuth 2.0 authorization code grants (3LO) are the only supported OAuth grant type by the Jira Cloud platform REST APIs for 3rd party applications.

Is that correct, or am I missing something?

Are there any OAuth grant type PKCE support that doesn’t involve backend services (client id and client secret)

Welcome to the Atlassian developer community @ManinderSingh,

You are correct. Only authorization code grants are implemented for Jira Cloud.

Can you elaborate why you need an OAuth grant type that doesn’t involve backend services?

Thank you for the confirmation @ibuchanan.

I am developing a web based document editor (still in prototype phase) without any backend service as of now which will interact with 3P apps like JIRA.
In my case it doesn’t make sense to store sensitive information (client secret) in JavaScript files that are by default public and accessible to anyone in internet.

@ibuchanan Please let me know if you are planning to support PKCE OAuth grant type in upcoming releases


Thanks for explaining. I’m not aware of any plans to support PKCE grants on the foreseeable horizon.

What are your recommendations to integrate JIRA with web browser client where we don’t have any backend service. We have seen flows in TRELLO Authorization ( where browser can directly talk to TRELLO and using window post message token can be passed to web client.

Is there any similar flow exist in JIRA?

Welcome to the Atlassian developer community @SaurabhGupta1.

While I understand the scenario presented by you and @ManinderSingh, my only guidance on the subject it that Forge provides mechanisms for writing UI without the need for infrastructure. If that is not sufficient, then I am not aware of any Jira API auth mechanisms safe to use with a web browser client.