Hi,
I was looking at the App events (Preview) documentation and am now wondering about the rationale behind the stated limitations.
More specifically, I was wondering why apps cannot publish custom payloads. I suspect that this is intended as a security measure, but given that any sending<->receiving app combination would be on the same instance of the host product, there already are ample ways of exchanging information between two known apps willing to do so.
Is there any other reason or security aspect that I’m missing? I would make sense for a couple of our products to adopt app events, but I want to make sure not to bring additional security concerns into our product.
Thank you,
Oliver
1 Like
Hi @osiebenmarck,
Our intention is to enable custom payloads at a later time.
There are some security and privacy considerations to take into account. Apps exchanging static pieces of information is very different to apps being able to share any data (potentially customer data) between one another. Which is why it requires more work on our side to design the full experience, from informing the admins during installation time about these potential exchanges, to figuring out which app should be allowed to receive which event (for example, should apps that “Run on Atlassian” be able to send custom payload events to those that don’t).
1 Like
Hi @kkercz,
Thank you for the prompt and detailed response! So the aim (for now at least) is more to build a signalling mechanism (something happened), rather than a data exchange.
1 Like
Hi @kkercz,
I’m following up on this conversation as it perfectly captures a significant challenge we’re facing.
Is there an existing feature request ticket in a public project that we can watch to track the progress on allowing custom payloads in app events?
Our use case is centered around enabling communication between two different apps that both “Runs on Atlassian”. As these apps are restricted from using web triggers with payloads, the app events framework is the only viable alternative for them to interact with each other. The ability to send even a small, defined payload would unlock critical functionality for us.
I understand the security considerations mentioned in this thread. A potential solution could be to restrict this capability, allowing apps that “Runs on Atlassian” to send and receive events with payloads only from other apps that are also designated as “Runs on Atlassian”. This would create a more secure, sandboxed communication channel.
Having a ticket to vote on and watch would be incredibly helpful for us and others in the community who are navigating this same limitation.
Thanks!
5 Likes