OAuth 2.0 3LO Broken

Hey team,

I’m trying to build an app that collects blog posts and pages via the Confluence Cloud REST API v2. This is not a connect or forge app.

I’ve got a private app configured and gave it correct callback URLs and scope allotments (ie. my auth code request looks like this which does result in an access_token. This is my code request URL (url decoded for legibility)

https://auth.atlassian.com/authorize?audience=api.atlassian.com&client_id={client_id}&scope=search:confluence:read:confluence-content.summary:read:confluence-space.summary&redirect_uri=http://localhost:3000/{code_handler_endpoint}&state=${some value}&response_type=code&prompt=consent

My problem is when I go to use the access token the first 2 legs returns within a few seconds of generating it, by reaching out to

https://{tenant}.atlassian.net/wiki/api/v2/pages with the headers

  Authorization: `Bearer ${access_token}`,
  Accept: 'application/json',
  ContentType: 'application/json'

I get the big 401. I’ve checked that I enable the only required scope according to the /wiki/api/v2/pages api confluence:read on both the app settings in the developer console and in my code request and the access token looks fine and contains all the scopes requested.

Was something deprecated or am I missing a step here? I can’t see what else I’m doing wrong.

PS I also observe this behavior setting up a 3LO flow with the provided postman collection

Was able to work around this somewhat by using a different URL


You get cloud-id by plucking the id off the response from

https://api.atlassian.com/oauth/token/accessible-resources when you auth using the Bearer token (access token for the 3LO flow)