RFC-112: free guest access in Jira Cloud

RFCs are a way for Atlassian to share what we’re working on with our valued developer community.

It’s a document for building shared understanding of a topic. It expresses a technical solution, but can also communicate how it should be built or even document standards. The most important aspect of an RFC is that a written specification facilitates feedback and drives consensus. It is not a tool for approving or committing to ideas, but more so a collaborative practice to shape an idea and to find serious flaws early.

Please respect our community guidelines: keep it welcoming and safe by commenting on the idea not the people (especially the author); keep it tidy by keeping on topic; empower the community by keeping comments constructive. Thanks!

Summary of Project:

• Publish: Sep 22, 2025
• Discuss: Oct 3, 2025
• Resolve: Oct 17, 2025

Problem

Customers need to collaborate with stakeholders external to their organisation, such as contractors, freelancers, agencies and customers. But to enable this today in Jira, a full license needs to be purchased for every user or anonymous access which lets any non-logged in person create, search or view work items, needs to be enabled. Furthermore, Jira data embedded or linked in other Atlassian products, such as Confluence or Trello, is not visible to guests in those products.

In order to remove this barrier to external collaboration in Jira, we will be enabling free guest access, through an experience similar to free guests in Confluence. As part of this, we need to decide how free guests in Jira should have access to Apps.

Proposed Solution

User experience

• Free guests in Jira will be able to be added to a site and then invited to a single Jira space* (both team-managed and company-managed, business and software).
• A space admin can assign either a “viewer - guest” or “collaborator - guest” space role to a guest (these roles will have a subset of project and issue permissions).
• Guests will have access to all views within the space they have been invited to, including the board, all work and work item views.
• Any data from other spaces, such as linked work items or cross project parents, will not be visible.

*Jira projects are becoming spaces, read more here Evolving Jira terminology: ‘Projects’ will soon be ‘Spaces’ . Any reference to a Jira space in this RFC refers to what was previously a Jira project.

Please note that we wanted to share the details of this project for early feedback. Some decisions are still open and are yet to be finalised. These include:

• License packaging for free guest access e.g. paid user to guest ratios, inclusion in free and standard plans etc.
• Whether a guest will be able to view and select global user pickers, such as Assignee.
• Whether other fields will be hidden from guests, due to security reasons, such as Labels or Components.

Impact on Apps

• Similar to Confluence, guests will not be part of the licensed user count on the customers Jira instance and so will not be charged for app usage.
• We are proposing that by default, free guests will not have access to Apps. This is different to Confluence which enables access by default. We are proposing this deviation to:
  • Mitigate the risk of data leakage (mainly from other spaces) to guests.
  • Enable App developers the ability to enable guest support and experience changes (if desired), on their own timelines (but we are open to feedback on this decision to default off).
• We will create a new condition so that individual Apps can enable guests to access their products (see details below).

Affected modules - Forge

UI kit and custom UI modules:

The following modules will be blocked for guest users unless explicitly allowed:

• Issue Panels: jira:issuePanel modules will not be displayed
• Issue Actions: jira:issueAction modules will be blocked
• Issue Glances: jira:issueGlance modules will not be shown
• Project Pages: jira:projectPage and jira:projectSettingsPage modules will not be accessible
• Global Pages: jira:globalPage modules will not be accessible

Macro and Content modules:

• Custom Content: UI components (view, edit, list) will be blocked

All other modules not listed will continue to function normally for guest users.

Affected modules - Connect

The following modules will be blocked for guest users unless explicitly allowed:

• Web Items, Web Panels, Web Sections: UI elements will not be displayed
• Dialogs: Dialog UI elements will be blocked
• General Pages: Custom pages will not be accessible
• Custom Content: UI components (view, edit, list) will be blocked

All other modules not listed will continue to function normally for guest users.

No action required for many Apps

If you don’t want to support guest users, no action is required. Your app will continue working normally for all paid users and will be automatically blocked for guests.

How you will be able to enable guest access for your App

Forge

Option 1: using display conditions (recommended)

Add the isJiraGuest display condition to your Forge app manifest to allow guest access:

modules:
  jira:issuePanel:
    - key: my-issue-panel
      title: My App Panel
      resource: panel-resource
      displayConditions:
        - condition: isJiraGuest
          invert: false

Inverting the condition

To explicitly block guest users while allowing regular users:

`displayConditions:
  - condition: isJiraGuest
    invert: true

Complex conditions

You can combine guest conditions with other display conditions using logical operators:

displayConditions:
  - and:
    - condition: isJiraGuest
      invert: false
    - condition: entity_property_equal_to
      params:
        entity: issue
        propertyKey: my-app-enabled
        value: "true"

Option 2: using context in runtime

The context.user.isJiraGuest property will be available in your Forge app’s runtime context, allowing dynamic decisions:

Custom UI (React):

import { view } from '@forge/bridge';
const App = () => {
  const [context, setContext] = useState(null);
  useEffect(() => {
    view.getContext().then(setContext);
  }, []);
  if (context?.user?.isJiraGuest) {
    // Handle guest user experience
    return <GuestUserInterface />;
  } else {
    // Handle regular user experience  
    return <FullUserInterface />;
  }
};

UI kit:

import { useProductContext } from '@forge/ui';
const App = () => {
  const context = useProductContext();
  if (context.user.isJiraGuest) {
    return (
      <Text>Limited functionality for guest users</Text>
    );
  }
  return (
    <Text>Full functionality for licensed users</Text>
  );
};

Connect

Option 1: using Connect conditions (recommended)

Add the is_jira_guest condition to your Connect app descriptor to allow guest access:

{
  "modules": {
    "webItems": [
      {
        "key": "my-web-item",
        "location": "operations-top-level",
        "name": {
          "value": "My App Action"
        },
        "url": "/my-action",
        "conditions": [
          {
            "condition": "is_jira_guest",
            "invert": false
          }
        ]
      }
    ]
  }
}

Inverting the condition

To explicitly block guest users while allowing regular users:

"conditions": [
  {
    "condition": "is_jira_guest", 
    "invert": true
  }
]

Option 2: using Context Parameters

A new user.isJiraGuest context parameter will be available in all app URLs, allowing runtime decisions:

// Example: Check guest status in your app
if (AP.context.getContext().user.isJiraGuest) {
  // Handle guest user experience
  showLimitedFeatures();
} else {
  // Handle regular user experience  
  showFullFeatures();
}

Best practices for App developers

If you choose to support guest users, please ensure that:

1. Proper authorization checks are implemented - verify the user’s project access before showing any data.
2. Data is scoped appropriately - only show information from spaces the guest has access to.
3. Consider guest-specific UX - Guests will have limited functionality (see list of permissions a guest is eligible for above), so we recommending reviewing experiences your Apps offer for this new user type in Jira.

Migration from Confluence patterns

If your app already supports Confluence guests using user_is_external_collaborator, the patterns are very similar:

// Confluence pattern
"conditions": [
  {
    "condition": "user_is_external_collaborator",
    "invert": false
  }
]
// Jira equivalent  
"conditions": [
  {
    "condition": "is_jira_guest",
    "invert": false
  }
]

Technical resources

• Connect Conditions Documentation (will be updated with is_jira_guest details)
• Context Parameters Documentation (will include user.isJiraGuest)
• Forge Display Conditions Documentation (will be updated with isJiraGuest details)
• Forge Product Context Documentation (will include user.isJiraGuest)
• Forge Security Overview
• Confluence Guest Access RFC (for reference)

Asks

• We are eager for your feedback on the proposed experience and solution outlined above:
  • How might we improve the enabling experience?
  • Is defaulting to off the ideal?
  • Are there other modules where your App shows data to a Guest that we haven’t identified?
  • Is the information above sufficient to identify the impact of this change?
• We plan to run an EAP with customers in late Jan/early Feb 2026. Closer to this time, I will post an update, including an option for Apps to sign-up to be a part of our EAP.

Note that customer access and even anonymous access is already enabled by default in Connect. Disabling guest access by default makes little sense if anonymous access is allowed. Imagine logging in and seeing less…

The only real advantage I see to the proposal is that the transition to support for Guests won’t accidentally open things up to more people - it requires an explicit change in app config.

I propose that the better action is to disable anonymous and customer access by default at the same time as you introduce guests, so that a single change by app developers is required and the result is actually consistent across user types. This requires notice to app devs, but it seems worthwhile. Disabling it by default for non-licensed users is the sane behavior.

Alternatively, you could treat guests as a kind of customer, so that whatever access is given to customers is also given to guests by default. This would keep the default open, while respecting the conditions already in place in many apps and still allowing apps to configure it how they like.

Also note that your examples seem broken. Adding the jira guest condition would actually remove access for all non-guests (aka normal users). You would need it to be in an OR with other conditions for normal users for it to function as intended and allow guests AND licensed users. Do you know how that condition would be written?

Does this mean there is a single space on the instance designated as “the guest space”? Or does it mean that a given guest user can never have access to two spaces at the same time (but the space they have access to can be any space)? Or does it just mean access is granted space-by-space and there is no limit to how many spaces a guest can have access to?

Hi @AdamAhmed - that is an interesting proposal for anonymous access. I would be reluctant to expand this change to anonymous users given we would be changing the experience that exists today, meaning we would need to manage a changeboarding program and because we don’t get alot of feedback on this capability in Jira, I’m not sure the ROI is there for us. But i am curious t see if this is something that other believe would add value.

When you refer to customer access, are you referring to JSM? Service spaces/projects are out of scope for this change, its business and software spaces/projects only.

That is correct regarding the conditions. The Jira guest conditions needs to be combined with other conditions like isLoggedIn for example:

modules:
  jira:issuePanel:
    - key: my-issue-panel
      title: My App Panel
      resource: panel-resource
      displayConditions:
        or: 
          isJiraGuest: true
          invert: false
        isLoggedIn: true

Hi again @AdamAhmed - a free guest can be added to one Jira space (i.e. project), similar to Confluence. They can’t be added to multiple spaces and they can choose which space a guest is invited to, but it can only be one. There won’t be a designated guest space or project, unless a customer configures one this way.

Hey @LorettaBrunette,

thank you for the RFC.

I have the following feedback for you:

Is defaulting to off the ideal?
We have a work item syncing app which adds a web panel. Our customers can administer the access to this web panel via a custom permission which we’ve added.
From that perspective, I’d appreciate not defaulting to off - but simply respecting permissions. If admins can grant/revoke app permissions in a permission scheme for the guest user role, that’ll be enough for us.

So if I’d like to make my app panel visible for both (guests and regular users), would I need to write such a condition for my app. Let’s say this is my existing condition:

displayConditions:
  - condition: some_existing_app_condition

Would this be the correct version?

displayConditions:
  - and:
    - or:
      - condition: isJiraGuest
      - condition: isJiraGuest
        invert: true
    - condition: some_existing_app_condition

If I got this right, this approach seems to be a bit broken for me from a logical approach. I’d appreciate defaulting to true or adding an explicit separate property for allowing guest user access to a module.

Assigning permissions to guest users
Related to my feedback before, you’ve listed several permissions guest users will or won’t get. I’d love it if you implement it that way that the special guest user role can still be administered within a permission scheme like a usual project role with the exception that it can’t be added to certain permissions (as you’ve detailed above). Is this what you’ve intended?

@LorettaBrunette great to hear guest users are coming and you are thinking about apps

I agree with @matthias here - the condition is potentially very confusing, because a display condition is_jira_guest where the display condition requires it to be true, does not sound like it would include regular users. Not that I would have a need for this, but this would also disallow/prevent to have a separate module that is specifically only for guest users.

I agree with @matthias as well, that having the default to true would correct this logic issue - we’d prefer this work the same as anonymous users. In case you do not want to go that route, I’d suggest having the name be “allow_guest_users” and not be a display condition, but a property on the module itself.

I’d suggest having the name be “allow_guest_users” and not be a display condition, but a property on the module itself.

Not bad either!

I am also fine with defaulting guest access to true for consistency with other stuff. The security foot gun already exists, and I think Guests are not really the issue as much as customers and anonymous users anyway, so no harm done.

@matthias - thanks for the great feedback

We are definitely open to changing the default to be on if that is the general consensus. The proposal to default off was really a way to mitigate impact to apps. The ability to grant/revoke app permissions is a really interesting one and company-managed projects/spaces is a problem here. In CMP, we will not enable admins to add a guest user, group or role to a permission scheme, given these can be scaled across multiple spaces/projects. But an admin will be able to give a user a guest collaborator or guest viewer role and we will consider custom project roles for guests as a potential fast follow. This would enable custom permissions (for the ones supported for guests) per guest role.

Whilst I can understand your preference for respecting app permissions, what makes us cautious to this is the lack of visibility we have into app permissions and what guests would be able to do as a result (including scaling across spaces/projects). I will take this away to the team though for further exploration and thinking though.

The correct version of the condition you outlined would be

displayConditions:
    - or:
      - condition: isJiraGuest
        invert: true
      - condition: some_existing_app_condition

Can you explain a bit more about the benefit of having an explicit separate property for allowing guest access to a module? I’ll take this back to the team for us to have a look in to

thanks for the feedback @tobias.viehweger

Can you also explain a bit more about why you would like this to be a property on the module and not a display condition? It’s something I will ask the team to have a look in to

Minor typo
Date is scoped appropriately

should be
Data is scoped appropriately

Hi @LorettaBrunette, thank you for sharing this concept.

Our feedback would be to align with the Confluence (connect app) approach used for guest and anonymous user classes. We use this pattern a lot in our Confluence app pages that should only be available for full users.

Summary

1. (all user classes) Regular, Anonymous, (Jira) Guest, and JSM customers can access apps by default
2. display conditions (isAnon, isGuest, isCustomer, etc) easily available to hide/restrict app pages. (using invert:true)
3. user class/display condition available client side JS ( Bridge/AP ) for dynamic tailoring of page based on user class

(example of live confluence apps where a page is restricted from anon/guest)

"generalPages": [{
    "key": "page key",
    "name": { "value": "page name" },
    "url": "page url",
    "conditions": [
         {  "invert": true, "condition" : "user_is_external_collaborator" },
         {  "invert": true, "condition" : "user_is_anonymous" }
    ]
}, 

Permissions

Our apps do use jira project role permissions (with custom app permissions) to provide fine grained control over specific app functionality. This is used extensively with CMP. For that to work with Guest users then they would need to be able to be granted project roles as well. Hopefully you can find a way to limit guest users to one project while still enabling role based-security in CMP.

Thank you for your consideration

Regards,
Chris
Digital Rose

Thanks for the feedback @Chris_at_DigitalRose

Custom app permissions is something the team are exploring a bit more deeply at the moment, so we will come back on this

@LorettaBrunette, 2 points of clarification:

1. I see that some Forge frontend modules are listed under “will be blocked for guest users unless explicitly allowed”. I don’t see module jira:issueViewBackgroundScript mentioned there. We use that module in our app to react on work-item assignee changes in the frontend and make calls to our app backend (via @forge/bridge’s invoke()). Will such a background-script work for guest users, or do we need to do something on our end to make that work?
2. Concerning work-item assignees: Can a guest user change the assignee of a work-item? And: Can a guest user be the assignee of a work-item? I’m asking because our app sets the assignee of work-items under specific conditions, and I’m wondering if that will work for guest-users.

This would be my second preference. First preference would be a well behaving condition (e.g. no strange defaults).

Having the is_guest_user condition is fine, if the the non-existence of the condition also shows the UI for everyone. It’s just that my expectation is if you put a display condition “is_guest_user” = true, I would expect it to only show up for guest users and not for everyone.

TL;DR: +1 for changing the default to be on.

Hi @AndreasEbert - thanks for your questions:

1. Any module not listed will continue to function normally for guests and will not be blocked. I can confirm that background task modules will continue to work with no additional effort needed.
2. A guest will be able to be assigned to a work item if they have been added with a guest collaborator project role. But the ability for a guest to assign work items to others is an open question. This is the desired behaviour but it is still an open decision at the moment, due to how the people directory is scoped ie. to all people in the organisation. We will shortly investigate to see if there is a way to limit the assignee field (and @ mentions) to only people in the space the guest has been invited to.

Hi everyone
Thank you so much for your feedback on this RFC. Based on your feedback, I wanted to confirm the outcome of this RFC:

• We will default to true for guest access in the modules listed in this RFC, to align with Confluence and anonymous access.

• Following our GA release next year, we plan to build custom user project roles for free Guest users, which gives a Project or Jira Admin the ability to create custom roles with specific permissions for guests. As part of this release, we will support App permissions, so an App permission can be applied to a custom guest project role, like it can today for paid users.

I will publish announcements as this project progresses, including when our EAP will be available (early 2026) and how to join.

Excellent news! I have a billing question: how are these guest users expected to interact with any marketplace apps we have? Will they still be treated as a billable seat, or will they have restricted access to these add-ons?

Hi @BenjaminSwan - guests will not be billable users and will have access to a subset of Jira permissions (as listed in the body of this RFC). As an App, you can make the decision on if you would like to block guests via the modules listed above. If this is not implemented on your end, then Guests will be able to work like any other user, but within the subset of permissions and just within one Jira space/project

Hi, any news on the this EAP on how to join and ETA?