Atlassian (Jira and Confluence)
Verify and govern the AI agents in your Atlassian tenant, including Rovo, with the AxioRank Agent Security Forge app. A thin client of the inbound verify endpoint that guards Rovo actions, verifies external agents cryptographically, and records agent provenance.
Most AxioRank integrations govern the calls your agents make outbound. The
Atlassian app is on the inbound side: it verifies the AI agents reaching a
website surface you operate, your Jira and Confluence
tenant. It is a native Forge
app and a thin client of the verify endpoint, so each checked request is
forwarded as one authenticated POST to /api/gateway/verify-request and the
verdict drives what happens. There is no AxioRank server change.
A Forge app verifies where it can reach
A Forge app does not sit in front of every request to Jira and Confluence, so it verifies agents at the boundaries it can, and it is honest about the strength of each check. The strongest, cryptographic verification is at the public web-trigger endpoint, where a real signed request is available. Rovo actions and product events provide risk scoring and provenance, because a Forge runtime receives Atlassian-shaped events, not a raw signed request.
Install
- Register a
websitesurface in AxioRank under Inbound, Surfaces (or withPOST /api/surfaces) for your tenant host, for exampleyour-tenant.atlassian.net, and copy its site key (axr_site_...), distinct from your agent key. - Install AxioRank Agent Security from the Atlassian Marketplace to Jira and Confluence.
- Open the AxioRank Agent Security admin page, paste the site key, and press
Test connection. To keep the key out of installation storage, set it as an
encrypted Forge variable instead:
forge variables set --encrypt AXIORANK_SITE_KEY axr_site_.... - Leave the mode on Monitor.
What gets verified
The app checks the traffic worth checking, so ordinary human authoring never calls out:
- Rovo actions. A Rovo agent, AxioRank Agent Security, ships with guarded
actions any Rovo agent in your tenant can invoke:
verify-agentreturns a decision for a named agent, andcheck-contentrisk-scores text or proposed tool arguments before an agent acts on them. - The public web trigger. An external agent or webhook that calls the app's web-trigger URL is verified cryptographically, including its Web Bot Auth signature, exactly like any other website surface.
- Product events. Jira issue and Confluence page create and update events are scored for provenance. When only score app edits is on, human authoring is skipped and only app and automation edits are checked.
Each check is scored and logged in your AxioRank dashboard, and surfaced in Jira and Confluence on the dashboard, the issue panel, and the page byline and macro.
Rovo, the native part
verify-agent and check-content make AxioRank a governance primitive at the AI
agent's tool boundary. A customer's Rovo agent can call verify-agent before it
trusts another agent, or check-content before it posts generated text, and act
on the returned decision. The AxioRank Agent Security teammate also answers
questions like "Is this agent trusted?" and "What is my enforcement posture?" by
calling these actions rather than guessing.
Monitor first, then enforce
A surface starts in monitor posture: AxioRank computes and logs the verdict,
but nothing is blocked. Watch the audit log and the
dashboard counts, then set both the AxioRank surface and the app to enforce.
Enforcement acts only when the response's own enforced flag is true, so the
surface posture stays authoritative. At the public endpoint, an enforced verdict
answers an unverified agent with a challenge (401) or a block (403).
Fail-open by design
Verification sits in an interactive path, so it fails open. Only a rejected site key raises a notice; any timeout or transport failure resolves to an allow, so a verification outage never blocks Jira or Confluence work.
What is sent to AxioRank
For each checked request, the app sends the basics needed to verify identity: the path, the method, the stated user-agent, and the headers that carry the agent's signature. It never sends cookies, authorization headers, or page and issue content beyond a short title or summary used for risk scoring.
Security
The only secret the app stores is your AxioRank site key, which is AxioRank's own credential, not an Atlassian user API token. It lives in Forge storage, encrypted at rest and scoped to one installation, and it never crosses to the browser. The app runs entirely on Forge with a single declared egress to AxioRank, so it is eligible for the Runs on Atlassian badge.
Next steps
- Inbound surfaces: the model behind the
websitesurface. - Policies: scope inbound decisions by operation and agent.
- Gateway API: the raw
verify-requestcontract the app speaks.
TYPO3
Verify the AI agents that log in, call JSON endpoints, search, and submit forms on your TYPO3 site with the AxioRank Agent Verification extension. A native TYPO3 v13 extension and a thin client of the inbound verify endpoint that blocks unverified agents in real time.
Datadog
Stream the AxioRank governed audit log into Datadog and install the AxioRank tile for a prebuilt log pipeline, three dashboards, and five monitors. Watch agent governance next to the rest of your stack.