Questions on Security for Confluence Add On intended for only Internal use

Hi Everyone,

We have a confluence cloud account we use.
We intend to make a confluence page that gets updated by a scheduled script everyday.
To create this page in confluence, we have to make it as an add on and of course need to host it somewhere.

Is there any way we can get around hosting this add on publicly? It seems for initial add (and for the regular use), we need to have a publicly accessible url to upload the atlasssian-connect.json file.

What restrictrions can we place on incoming http requests to this add on?

You don’t need to have an add-on do this. You can use the rest api to make the updates with a dedicated user using it’s credentials.

If you still want to do an add-on - yes the add-on has to be available publicly. There are no “known” ips (at least not officially) for the atlassian cloud. However what you can do is just block all of the other tenants from the jwt tokens. See https://developer.atlassian.com/static/connect/docs/latest/concepts/authentication.html and https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html . You basically would only want your instance’s iss to come through.

Thank you. We’ll go with your first suggestion.