OAuth 2.0 app configuration


We are working on integrating one of our products with Jira Cloud through OAuth 2.0 (3LO) app approach. We do store user’s refresh token for fetching the access token later without having to take the user through Atlassian OAuth flow again.

Does storing the refresh token means we have to implement the Personal Data Reporting API?

Also, can we change the authorization callback URL once the app is shared/published in the marketplace?



Thanks for your patience while I check with our thoughtful privacy team.

No. Atlassian does not consider refresh tokens to be personal data. You can store them without implementing the Personal Data Reporting API.

Yes. But I would advise the other way around. Change the callback URL before sharing/publishing. Otherwise, you aren’t testing the “production” URL until after customers can use it. Or do you have a different reason for needing to change later?

Thanks @ibuchanan for the information.

I asked about the ability to change the callback URL after sharing/publishing because, we are yet to finalize it on our side. But, already wanted to kick-start the OAuth app approval process.