|
| 1 | +# Required Atlassian scopes |
| 2 | + |
| 3 | +`Confluence` authenticates with a **scoped** Atlassian API token (the `ATSTT…` |
| 4 | +prefix) used as HTTP Basic authentication (`<service-account-email>:<token>`) |
| 5 | +against the API-gateway host `https://api.atlassian.com/ex/confluence/<cloudId>`. |
| 6 | + |
| 7 | +When you create the token for the service account, select **granular** Confluence |
| 8 | +scopes (not the classic `*-confluence-*` scopes). The list below is the full set |
| 9 | +the module's commands use today — use it when generating or rotating a token. |
| 10 | + |
| 11 | +## Scope list |
| 12 | + |
| 13 | +```text |
| 14 | +read:space:confluence |
| 15 | +read:space.permission:confluence |
| 16 | +read:space.property:confluence |
| 17 | +read:page:confluence |
| 18 | +read:blogpost:confluence |
| 19 | +read:folder:confluence |
| 20 | +read:attachment:confluence |
| 21 | +read:comment:confluence |
| 22 | +read:label:confluence |
| 23 | +read:content.property:confluence |
| 24 | +read:hierarchical-content:confluence |
| 25 | +read:content-details:confluence |
| 26 | +write:page:confluence |
| 27 | +write:folder:confluence |
| 28 | +write:attachment:confluence |
| 29 | +write:comment:confluence |
| 30 | +write:label:confluence |
| 31 | +write:content.property:confluence |
| 32 | +delete:page:confluence |
| 33 | +delete:folder:confluence |
| 34 | +delete:attachment:confluence |
| 35 | +delete:comment:confluence |
| 36 | +``` |
| 37 | + |
| 38 | +That is 22 scopes: 12 read, 6 write, 4 delete. |
| 39 | + |
| 40 | +## What each scope is for |
| 41 | + |
| 42 | +| Scope | Used by | |
| 43 | +| --- | --- | |
| 44 | +| `read:space:confluence` | `Get-ConfluenceSpace`, `Get-ConfluenceSiteInfo` | |
| 45 | +| `read:space.permission:confluence` | `Get-ConfluenceSpacePermission` | |
| 46 | +| `read:space.property:confluence` | `Get-ConfluenceSpaceProperty` | |
| 47 | +| `read:page:confluence` | `Get-ConfluencePage`, `Get-ConfluencePageChild`, `Get-ConfluencePageVersion`, `Set-ConfluencePage` (reads before updating) | |
| 48 | +| `read:blogpost:confluence` | `Get-ConfluenceBlogPost` | |
| 49 | +| `read:folder:confluence` | `Get-ConfluenceFolder` | |
| 50 | +| `read:attachment:confluence` | `Get-ConfluenceAttachment` | |
| 51 | +| `read:comment:confluence` | `Get-ConfluenceComment` | |
| 52 | +| `read:label:confluence` | `Get-ConfluenceLabel` | |
| 53 | +| `read:content.property:confluence` | `Get-ConfluenceContentProperty` | |
| 54 | +| `read:hierarchical-content:confluence` | `Get-ConfluenceDescendant` | |
| 55 | +| `read:content-details:confluence` | `Get-ConfluenceRestriction`, `Get-ConfluenceCurrentUser`, `Add-ConfluenceAttachment` (upload) | |
| 56 | +| `write:page:confluence` | `New-ConfluencePage`, `Set-ConfluencePage` | |
| 57 | +| `write:folder:confluence` | `New-ConfluenceFolder` | |
| 58 | +| `write:attachment:confluence` | `Add-ConfluenceAttachment` | |
| 59 | +| `write:comment:confluence` | `Add-ConfluenceComment` | |
| 60 | +| `write:label:confluence` | `Add-ConfluenceLabel`, `Remove-ConfluenceLabel` | |
| 61 | +| `write:content.property:confluence` | `Set-ConfluenceContentProperty`, `Remove-ConfluenceContentProperty` | |
| 62 | +| `delete:page:confluence` | `Remove-ConfluencePage` | |
| 63 | +| `delete:folder:confluence` | `Remove-ConfluenceFolder` | |
| 64 | +| `delete:attachment:confluence` | `Remove-ConfluenceAttachment` | |
| 65 | +| `delete:comment:confluence` | `Remove-ConfluenceComment` | |
| 66 | + |
| 67 | +## Notes |
| 68 | + |
| 69 | +- Scopes are only an **API ceiling**. Effective access is still bounded by the |
| 70 | + service account's Confluence **permissions** (global and per-space), so grant it |
| 71 | + the matching permissions on the spaces you target. |
| 72 | +- This set contains **no space-administration** scope: the token can read space |
| 73 | + permissions and properties but cannot change space settings or permissions. |
| 74 | +- A few commands reach v1 endpoints that Atlassian maps to these granular scopes: |
| 75 | + label add/remove (`write:label:confluence`), attachment upload |
| 76 | + (`write:attachment:confluence` plus `read:content-details:confluence`), page |
| 77 | + restriction reads and the current user (`read:content-details:confluence`). |
| 78 | +- Atlassian applies a soft cap of roughly 50 scopes per token; this set is well |
| 79 | + under it, leaving room to grow. |
| 80 | +- Reference: [Confluence OAuth 2.0 scopes](https://developer.atlassian.com/cloud/confluence/scopes-for-oauth-2-3LO-and-forge-apps/). |
0 commit comments