This page includes release notes and updates for Confluence Cloud app developers. Use this page to keep track of upcoming changes, deprecation notices, new features, and feature updates from Confluence Cloud.
For updates about changes to the Forge platform, see the Forge changelog in the Forge documentation.
You can also ask questions and learn from other Confluence Cloud developers on the Atlassian Developer Community.
We’re announcing the deprecation and upcoming decommission of the AUI CDN.
AUI CDN will be shut down after Oct 30, 2026.
What is AUI CDN?
aui-cdn.atlassian.com hosts legacy JavaScript and CSS assets for AUI (Atlassian User Interface) versions 5.2.0 – 6.0.9.
Who is affected?
The AUI CDN is primarily used by Connect apps, so this mostly affects apps not yet migrated from Connect to Forge. Connect has announced its own End of Support late 2026. In some rare cases, AUI CDN is also used by Forge apps.
How to check if you're affected
Search your app's source code for any URLs containing aui-cdn.atlassian.com. If you find any references, your app is loading assets from AUI CDN and you need to take action before the shutdown.
What to do if you're affected
Remove all references to aui-cdn.atlassian.com from your codebase and migrate to a supported alternative:
Recommended: Migrate AUI to Atlassian Design System or Forge UI Kit. Any Atlassian Connect apps should also migrate to Forge, as Connect End of Support has been announced.
If migrating is not suitable for you (e.g. non-React apps), you have these options:
Bundle AUI directly: via npm. See the AUI documentation.
Third-party CDN: use a CDN that serves npm packages, e.g. jsDelivr (https://cdn.jsdelivr.net/npm/aui@latest/) or unpkg (https://unpkg.com/aui@latest/)
Self-host: download any required AUI assets and serve the static assets yourself
Timeline
AUI CDN will be shut down after Oct 30, 2026. After this date, any requests to aui-cdn.atlassian.com will fail, which will break apps that haven't migrated. Please migrate as soon as possible.
We've added a new Confluence Forge event for performed search: avi:confluence:performed:search
You can use this event to invoke your Forge app function when a Confluence search is performed. For more details, see the Confluence events reference documentation.
The legacy icon entry points in @atlaskit/icon have been permanently removed following the deprecation notice published in 2024. The removed entry points are: @atlaskit/icon/glyph/, @atlaskit/icon/core/migration/, @atlaskit/icon/utility/, @atlaskit/icon/base, @atlaskit/icon/svg, and @atlaskit/icon/migration-map.
The no-legacy-icons ESLint rule has also been removed from @atlaskit/eslint-plugin-design-system as it is no longer needed.
Apps using Forge Custom UI or Atlassian Connect that import from any of the above entry points must update their imports to use @atlaskit/icon/core/ instead. Migration guidance, codemods, and the full list of icon replacements were published in the original deprecation notice: https://developer.atlassian.com/changelog/#CHANGE-2773
What was removed
@atlaskit/icon/glyph/* — legacy SVG glyph icon components (~400 icons)
@atlaskit/icon/core/migration/* — migration shim components (~200 shims)
@atlaskit/icon/utility/* — 27 utility (12px) icon components
@atlaskit/icon/base and @atlaskit/icon/svg — legacy base components
@atlaskit/icon/migration-map — migration type helpers
no-legacy-icons ESLint rule from @atlaskit/eslint-plugin-design-system
What to use instead:
Import icons directly from @atlaskit/icon/core/*. The full icon replacement map instructions are in the original deprecation notice: https://developer.atlassian.com/changelog/#CHANGE-2773
What you need to do if you are using Forge Custom UI or Atlassian Connect:
Update any imports from the removed entry points to use @atlaskit/icon/core/* and bump @atlaskit/icon to the latest version.
What you need to do if you are using Forge UI Kit or Forge UI Kit 2:
Nothing. Icons in UI Kit are managed by Atlassian and are not affected by this change.
The spacing prop on icon components in @atlaskit/icon and @atlaskit/icon-lab is now deprecated. The prop was introduced to ease migration from the legacy icon system by allowing icons to carry their own padding. Now that the legacy icon migration is complete, whitespace around icons should be controlled by the surrounding layout rather than the icon itself — consistent with how the rest of the Atlassian Design System handles spacing.
The spacing prop will be removed in a future major release. While no immediate action is required and existing usages will continue to work for now, we recommend migrating away from spacing ahead of its removal. To migrate, replace spacing="spacious" or spacing="compact" with a Flex wrapper from @atlaskit/primitives/compiled using explicit padding tokens. A codemod and ESLint rule with IDE quick-fix are available to automate the migration. Full guidance: https://atlassian.design/components/icon/usage
Why is this being deprecated?
Spacing baked into an icon is invisible to parent components, making layout debugging harder.
The rest of the Atlassian Design System uses explicit layout primitives (Flex, tokens) to control spacing — the spacing prop is an outlier.
The internal implementation is incompatible with @atlaskit/css compiled styling patterns.
How to migrate
Before:
1
<AddIcon label="Add" spacing="spacious" />After:
1
2
3
4
5
6
7
8
9
10
11
12
import { cssMap } from '@atlaskit/css';
import { Flex } from '@atlaskit/primitives/compiled';
import { token } from '@atlaskit/tokens';
const iconSpacingStyles = cssMap({
space050: {
paddingBlock: token('space.050'),
paddingInline: token('space.050'),
},
});
<Flex xcss={iconSpacingStyles.space050}>
<AddIcon label="Add" />
</Flex>Migration tooling:
Codemod — run npx @atlaskit/codemod-cli and select icon-spacing-to-flex-primitive
ESLint rule — enable @atlaskit/design-system/no-icon-spacing-prop for IDE quick-fix suggestions
What you need to do if you are using Forge Custom UI or Atlassian Connect:
Migrate usages using the codemod or ESLint rule above. No immediate action needed — at least 6 months notice will be given before removal.
What you need to do if you are using Forge UI Kit or Forge UI Kit 2:
Nothing. The spacing prop is not exposed to Forge UI Kit developers.
Following our deprecation notice on Sep 29, 2025:
Customers can no longer install Connect private apps.
Partners and developers can no longer update existing Jira or Confluence apps using a Connect descriptor on the Atlassian Marketplace.
Existing installations of Connect private apps will remain unaffected for now.
From now on, private apps can only be installed via Forge installation links. See https://developer.atlassian.com/platform/forge/distribute-your-apps/ for instructions on sharing these links to your customers.
This milestone is in line with our timeline for ending support for the Connect platform.
To continue providing updates to users of your Connect app, it must be migrated to Forge. You can start doing this without completely rewriting your app by incrementally adopting Forge from Connect.
Forge apps with app.connect.key declared in their manifest can now retrieve the Connect clientKey for an installation via a reserved, read-only app property. See Retrieving the Connect clientKey in Forge for instructions.
This capability is only being provided temporarily to facilitate migration away from the Connect installed lifecycle webhook, which previously was the only way to obtain the clientKey. It will only be supported for as long as Connect is supported. For more information about the timeline for Connect end-of-support, refer to this blog.
We are pleased to announce the availability of multi-user app ownership for OAuth 2.0 (3LO) apps in the developer console.
Multiple admins - You can assign multiple admins to your OAuth 2.0 apps in the developer console.
Ownership transfer - The OAuth 2.0 app ownership transfer option is now available in the developer console.
We’ve introduced a platform-level URL persistence and redirect feature for apps migrating from Connect to Forge. Jira and Confluence will now accept legacy Connect URLs (including full path, query parameters, and fragments) and transparently redirect them to the corresponding Forge app module. For more information on how it works, please see the documentation here.
You can now nominate genuine migration blockers or major customer‑impact risks via the “Request review” flow on FRGE issues.
This flow will allow us to triage and assess requests to address remaining blockers to Forge migration before Connect end of support in December 2026. We’ll review requests over 3 monthly cycles, then freeze decisions.
Please review for existing tickets before creating new FRGE tickets. You may also review the announcement.
We’ll publish the outcomes of these decisions on the following pages:
Approved / available capabilities:
https://developer.atlassian.com/platform/adopting-forge-from-connect/connect-forge-equivalences/connect-forge-capabilities-available/
Not‑available capabilities (including rejected requests):
https://developer.atlassian.com/platform/adopting-forge-from-connect/connect-forge-equivalences/connect-forge-capabilities-notavailable/
Effective March 2, 2026, we are starting the phased enforcement of points-based quota rate limits for Jira and Confluence Cloud REST APIs. The rollout will begin with a small percentage of apps and gradually expand over several weeks, allowing us to closely monitor progress and minimize any disruption. API requests will start consuming points based on the work they perform, with app-level quotas applied consistently across two tiers:
Global Pool (Tier 1)
Per-Tenant Pool (Tier 2)
All Forge, Connect, and OAuth 2.0 (3LO) apps are in scope. API token-based traffic is not affected. The vast majority of apps are already operating well within these limits and will not be affected.
To learn whether points-based quota enforcement has started for your app, inspect your API response headers. Quota-related headers with a Beta- prefix (e.g., Beta-RateLimit-Policy: "global-app-quota") indicate enforcement has not yet begun for your app. When enforcement begins, these transition to their non-prefixed equivalents (e.g., RateLimit-Policy: "global-app-quota").
Jira REST APIs use multiple rate-limiting systems (quota, burst) that are transitioning to a unified structured headers(Beta-RateLimit, Beta-RateLimit-Policy)independently. The Beta- prefix on a header indicates that the system has not yet transitioned to production for your app. Use the policy name in the header (e.g., "global-app-quota" or "tenant-app-quota" for quota and for burst"jira-burst-based" ) to identify which system a header belongs to. Additional rate limit policy transitions to this unified header will be announced separately.
We plan to discontinue sending quota rate limit values via the X-RateLimit-* headers in the future. A timeline will be published separately.
For full details on how points are calculated, quota tiers, unified header format and values, and best practices for handling rate limits, please refer to:
Following this deprecation announcement on Feb 17, 2026, the Connect Inspector Service is now decommissoned.
We recommend migrating to Atlassian Forge for a more robust Events model, as Atlassian Connect will reach end of support in December 2026.
Developers who still need similar functionality can use the open‑sourced version of the tool.
We are introducing baseline security requirements for Atlassian Government Cloud (AGC) apps, which will take effect on Mar 31, 2026. If you have any questions regarding these new standards, please contact us here: https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/109/create/579
We’re also publishing our annual update to the general Cloud App Security Requirements for 2026, which includes new provisions for AI security, data protection, and supply chain security. See More details for highlights on this update.
Key additions to the general Cloud App Security Requirements include:
AI Security: New requirements for apps using Forge Rovo actions and agents, including validating action inputs as untrusted, implementing permission checks for admin-level actions, and accurately configuring actionVerb values.
Data Protection:
External OAuth2 clients must use Forge's OAuth2 Providers and be configured as confidential clients where supported.
Application logs must strictly exclude PII, credentials, and sensitive data.
Apps must ensure strict tenant isolation during runtime.
Apps must not execute arbitrary code by spawning child processes (e.g., using Node.js child_process).
Application Security:
Apps using Forge SQL must use parameterized queries to mitigate SQL injection risks.
Updated guidance on Content Security Policy (CSP) regarding unsafe-inline and unsafe-eval directives.
Runtime Security:
Apps must not use EOL (end-of-life) Node.js runtimes.
We've introduced two new components to UI Kit, now available in Preview: AtlassianTile and AtlassianIcon. Use these components to display Atlassian object type icons—such as stories, tasks, epics, blogs, and more—with consistent styling that aligns with the Atlassian Design System.
Both components provide fixed color, size, and styling options for Atlassian object types. Any updates to icon or tile styling in the Atlassian Design System are automatically reflected in your app.
For implementation details and examples, see the Atlassian icon and Atlassian tile component documentation.
The Connect Inspector service is moving to open source and also being deprecated. This service will no longer allow the creation of new temporary apps. Already registered temporary apps will stop recording new events, and old events will be deleted. Any apps already installed on developer sites will not be uninstalled.
Connect Inspector helped developers better understand Atlassian Connect lifecycle events and web-triggers. This service allowed developers to generate a temporary and unique Atlassian Connect app, which could be installed on a cloud development environment. This, in turn, let developers inspect the full request flow of a Connect app.
However, usage of the Connect Inspector has decreased significantly due to the following:
Atlassian Marketplace no longer accepts new Connect app listings
Local installs of Atlassian Connect apps will be locked from March 2026
Deprecating Connect Inspector allows the team to focus on Forge.
The Connect Inspector service will be discontinued by the end of February 2026.
Developers who still need similar functionality can use the open‑sourced version of the tool.
Atlassian Connect will reach end of support in December 2026. Migrate to Atlassian Forge for a more robust Events model.
We previously announced on 18 December 2025 that the cleanHistory field in the Confluence Content Redaction APIs would be deprecated on 30 June 2026, and that the field would move from required to optional.
After further review, we’ve decided not to proceed with this deprecation. The cleanHistory field will not be deprecated at this time, and the field will remain optional. The behavior of the Content Redaction APIs remains unchanged.
The deprecation of the cleanHistory field previously announced in 18 December 2025 is no longer happening.
The cleanHistory field will continue to be supported in the Confluence Page and Blogpost Redaction APIs.
We are not making any breaking changes to how redaction requests are processed.
Existing implementations that include the cleanHistory field will continue to work as they did before the deprecation announcement.
You do not need to change how you call the Content Redaction APIs as a result of the previously announced deprecation.
If you already updated your integration to treat cleanHistory as optional or removed it from requests, those implementations will continue to function, but these changes are no longer required.
No action is required at this time. If we decide to revisit this deprecation in the future, we’ll provide advance notice and clear migration guidance via the Confluence Cloud changelog.
Rate this page: