Description:

Third party security and compliance integrations need to read Confluence site level data to monitor security posture. Currently, the only way to access this data is through internal GraphQL fields that work exclusively with classic (unscoped) API tokens. There is no supported path via OAuth 2.0 (3LO) or scoped API tokens.

The following GraphQL fields are confirmed internal only and not exposed for third party apps:

• sitePermissions — requires confluence:atlassian-external (1P only scope)

• publicLinkSpacesByCriteria — requires confluence:atlassian-external (1P only scope)

• confluence.siteConfiguration — returns FieldNotExposedForOauth

• externalCollaboratorsByCriteria — not registered in public AGG schema

• ecosystem.appsInstalledInContexts — returns FieldNotExposedForOauth

No public REST API equivalents exist for most of this data. Space permissions and groups have REST endpoints, but external collaborators, installed apps, public link spaces, and full site configuration do not.

This creates a gap for third party integrations building on OAuth 2.0 (3LO). Customers are forced to use classic API tokens which cannot be scoped to least privilege access and are tied to individual user accounts.

Request: Expose official, OAuth 2.0 (3LO) compatible APIs (REST or GraphQL) for the five data categories listed above, enabling third party integrations to access site level security data through supported, least privilege authentication.

Use case: Third party SaaS security platforms that monitor Confluence security posture, audit permissions, track external collaborators, and review installed apps across customer environments.