API Authentication

Purpose

ApprovalFlow exposes Forge app REST APIs for external callers. This page covers the 3-legged OAuth (3LO) setup, required scopes, and base URL formats you need before using the endpoint reference.

Info: Atlassian currently documents Forge app REST APIs as a Preview capability for Confluence and Jira. ApprovalFlow uses that Forge apiRoute model for its external API surface.

Before You Start

Make sure:

ApprovalFlow is installed on the Confluence site you want to call.
A site or organization admin can manage Connected apps in Atlassian Administration.
You can create a 3LO integration in the Atlassian Developer Console.

Step 1: Enable App REST APIs

Forge app REST APIs are disabled per site by default. A site or organization admin must enable them first:

Open Atlassian Administration.
Go to Apps -> Sites and select the Confluence site where ApprovalFlow is installed.
Open Connected apps.
Find ApprovalFlow and open the app details.
Enable App REST APIs.

If this toggle is off, external API calls to ApprovalFlow will fail even if your token and scopes are correct.

Step 2: Create a 3LO Integration

Create an OAuth 2.0 integration in the Atlassian Developer Console, then connect it to the ApprovalFlow app installed on your Confluence site.

When you add ApprovalFlow in the integration permissions screen, select:

Atlassian Product Scope

Scope	Purpose
`read:forge-app:confluence`	Required by Atlassian for external access to Confluence Forge app REST APIs.

ApprovalFlow Custom Scopes

Scope	Used By
`read:change-set:custom`	List change sets, get change set detail, preflight change sets
`write:change-set:custom`	Create, update, archive, and submit change sets
`read:approval:custom`	Preflight a single page
`write:approval:custom`	Submit a single page for approval

Select only the scopes your integration needs. ApprovalFlow’s custom scopes are defined in the app’s custom-scopes.yaml, and the endpoint-to-scope mapping is documented in the REST API reference.

Step 3: Obtain an Access Token

After configuring the integration:

Set a callback URL in the integration’s Authorization settings.
Use the generated authorization URL to complete the 3LO consent flow.
Exchange the returned authorization code for an access token.

Send the resulting bearer token with every API request:

Authorization: Bearer <access_token>

The authenticated Atlassian user is resolved automatically from the token. ApprovalFlow does not accept a user ID in the request body for API-authenticated actions.

Base URL Patterns

Atlassian documents two supported base URL patterns for Forge app REST APIs:

https://api.atlassian.com/svc/confluence/<cloud-id>/apps/<app-id>_<env-id>

https://<your-site>.atlassian.net/gateway/api/svc/confluence/apps/<app-id>_<env-id>

Where:

<cloud-id> is your site’s cloud ID.
<app-id> is the ApprovalFlow Forge app ID.
<env-id> is the Forge environment ID.

The site-relative base URL is also surfaced in Connected apps after App REST APIs are enabled.

All endpoint paths in the REST API reference are relative to one of these base URLs.

Audit and Identity Behavior

ApprovalFlow records API-initiated actions differently from manual UI actions:

The real Atlassian user is resolved from the 3LO request context.
ApprovalFlow records the OAuth client ID for traceability.
Audit records for API-created or API-submitted actions are tagged as API-driven.

This lets you distinguish automated submissions from manual submissions in the audit trail.

REST API Reference — Endpoint methods, request bodies, and examples.
Change Sets — How grouped multi-page review works in ApprovalFlow.
Release Notes 2026-03-27 — Feature release for Change Sets and the REST API.