AxioRankDocs
Integrations

Atlassian (Jira and Confluence)

Verify and govern the AI agents in your Atlassian tenant, including Rovo, with the AxioRank Agent Security Forge app. A thin client of the inbound verify endpoint that guards Rovo actions, verifies external agents cryptographically, and records agent provenance.

Most AxioRank integrations govern the calls your agents make outbound. The Atlassian app is on the inbound side: it verifies the AI agents reaching a website surface you operate, your Jira and Confluence tenant. It is a native Forge app and a thin client of the verify endpoint, so each checked request is forwarded as one authenticated POST to /api/gateway/verify-request and the verdict drives what happens. There is no AxioRank server change.

A Forge app verifies where it can reach

A Forge app does not sit in front of every request to Jira and Confluence, so it verifies agents at the boundaries it can, and it is honest about the strength of each check. The strongest, cryptographic verification is at the public web-trigger endpoint, where a real signed request is available. Rovo actions and product events provide risk scoring and provenance, because a Forge runtime receives Atlassian-shaped events, not a raw signed request.

Install

  1. Register a website surface in AxioRank under Inbound, Surfaces (or with POST /api/surfaces) for your tenant host, for example your-tenant.atlassian.net, and copy its site key (axr_site_...), distinct from your agent key.
  2. Install AxioRank Agent Security from the Atlassian Marketplace to Jira and Confluence.
  3. Open the AxioRank Agent Security admin page, paste the site key, and press Test connection. To keep the key out of installation storage, set it as an encrypted Forge variable instead: forge variables set --encrypt AXIORANK_SITE_KEY axr_site_....
  4. Leave the mode on Monitor.

What gets verified

The app checks the traffic worth checking, so ordinary human authoring never calls out:

  • Rovo actions. A Rovo agent, AxioRank Agent Security, ships with guarded actions any Rovo agent in your tenant can invoke: verify-agent returns a decision for a named agent, and check-content risk-scores text or proposed tool arguments before an agent acts on them.
  • The public web trigger. An external agent or webhook that calls the app's web-trigger URL is verified cryptographically, including its Web Bot Auth signature, exactly like any other website surface.
  • Product events. Jira issue and Confluence page create and update events are scored for provenance. When only score app edits is on, human authoring is skipped and only app and automation edits are checked.

Each check is scored and logged in your AxioRank dashboard, and surfaced in Jira and Confluence on the dashboard, the issue panel, and the page byline and macro.

Rovo, the native part

verify-agent and check-content make AxioRank a governance primitive at the AI agent's tool boundary. A customer's Rovo agent can call verify-agent before it trusts another agent, or check-content before it posts generated text, and act on the returned decision. The AxioRank Agent Security teammate also answers questions like "Is this agent trusted?" and "What is my enforcement posture?" by calling these actions rather than guessing.

Monitor first, then enforce

A surface starts in monitor posture: AxioRank computes and logs the verdict, but nothing is blocked. Watch the audit log and the dashboard counts, then set both the AxioRank surface and the app to enforce. Enforcement acts only when the response's own enforced flag is true, so the surface posture stays authoritative. At the public endpoint, an enforced verdict answers an unverified agent with a challenge (401) or a block (403).

Fail-open by design

Verification sits in an interactive path, so it fails open. Only a rejected site key raises a notice; any timeout or transport failure resolves to an allow, so a verification outage never blocks Jira or Confluence work.

What is sent to AxioRank

For each checked request, the app sends the basics needed to verify identity: the path, the method, the stated user-agent, and the headers that carry the agent's signature. It never sends cookies, authorization headers, or page and issue content beyond a short title or summary used for risk scoring.

Security

The only secret the app stores is your AxioRank site key, which is AxioRank's own credential, not an Atlassian user API token. It lives in Forge storage, encrypted at rest and scoped to one installation, and it never crosses to the browser. The app runs entirely on Forge with a single declared egress to AxioRank, so it is eligible for the Runs on Atlassian badge.

Next steps

  • Inbound surfaces: the model behind the website surface.
  • Policies: scope inbound decisions by operation and agent.
  • Gateway API: the raw verify-request contract the app speaks.

On this page