Storing sensitive data with Forge


We have connect apps in Jira and Confluence, and we would like to start migrating and use Forge, we want to start migrating the Jira part first.

We have some question related to security:
We want our Forge app to be able to communicate with our Confluence connect app.
Can we allow Forge to communicate with our Confluence connect app, by adding:


Are these permissions supposed to be used for such cases?
We intend to use JWT authentication, is it possible to store the secret key as an env variable in Forge?


Yes, you can store the secrets in the environment variables.


Hi @salmane,

It’s great to hear you’re interested in migrating your Connect app to use Forge. Currently, yes you can store the key as an env variable and the method specified in your post will work.

Please note that Connect-on-Forge apps are still in alpha. Auth and secrets are likely to evolve as we continue to develop the migration pathway. For example, although secrets are stored across all installations at the moment, this could change and the overall solution may change as well.

Can you please provide greater detail about the circumstances under which you expect the Forge app to communicate with the Connect app? In particular, the specific use case and type of data being communicated.

It would also be great to learn about your experiences and expectations for the migration process. Please DM me if you’re open to this, I’d love to have a chat.


Aditi Venkatesh
Product Manager, Forge