Security & Compliance in AI Apps Builder
AI Apps Builder is an AI-powered tool that helps Jira teams create custom Forge apps, dashboards, reports, and gadgets by chatting with AI — without writing code. This page explains how this Jira app handles AI, data access, permissions, and deployment, and how it aligns with Atlassian Forge security principles.
AI and Data Access in AI Apps Builder
AI Apps Builder is an AI-based builder that uses a Large Language Model (LLM) provided through Anthropic Connect. The LLM is used to understand plain-English prompts and generate application code based on them.
The AI does not analyze issues, comments, worklogs, or users
The AI does not connect to Jira
The AI does not call Jira APIs
The AI does not receive real Jira data.
In AI Apps Builder, AI is used only to generate code:
Generates an Atlassian Forge app
Uses public Atlassian Forge documentation
Describes which types of data are needed (for example: issue key, summary, due date)
Builds the
manifest.yml, UI components, and business logic.
Important Note About the API Token
During deployment, AI Apps Builder asks for an API token. The token is used only to authorize the installation of the generated Forge app to your specific Jira Cloud site.
The API token:
Is used only for deployment
Is not stored by AI Apps Builder
Is not used to access Jira data
Is not used at the app’s runtime
Is not used for analytics or data collection
Does not affect the app after deployment
Once deployment is complete, the app runs independently as a standard Forge app within your Jira environment. It does not rely on the API token in any way.
If the API token expires or is revoked, the deployed app will continue to function normally.
The token is simply a secure authentication mechanism required by Atlassian to authorize app deployment.
Forge security guarantees
Apps generated with AI Apps Builder are built and deployed on Atlassian Forge, which provides strong, built-in security guarantees by design. Forge enforces strict authentication and access control mechanisms. Only authorized users can access app data, and all access is governed by Jira’s standard permission model and the scopes explicitly granted during installation.
To deploy the Forge app generated with AI Apps Builder, you must have administrator permissions on the Jira site where the app will run.
Forge apps run entirely inside Atlassian Cloud. This means Jira data does not leave Atlassian’s secure environment:
No external servers are used
No third-party backends are involved
No data is sent outside the Atlassian infrastructure.
Forge apps inherit the same security framework that protects Jira. This includes:
Platform-level security controls
Ongoing security monitoring
Compliance with Atlassian security policies and standards.
Learn more about security for Forge apps.
Also, apps created with AI Apps Builder use standard Forge scopes, selected based on the app’s functionality. Typical scopes may include:
Name | Description |
| View user information in Jira that the user has access to, including usernames, email addresses, and avatars. |
| Read Jira project and issue data, search for issues and objects associated with issues like attachments and worklogs. |
| View filters. |
| View dashboards. |
| Create and update dashboards. |
| View projects. |
Find more information about Forge scopes in the official Atlassian documentation, Jira scopes for OAuth 2.0 (3LO), and Forge apps.
Before deployment, you can review all the scopes your Forge app uses.
If you use automatic deployment
If you deploy manually
If you need help or have questions, please contact SaaSJet Support or email us at support@saasjet.atlassian.net.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at security@saasjet.com