If your team has been holding back from building custom Jira apps because of security concerns, this article is for you. Security questions are the most common reason teams delay adopting AI-powered tooling — and most of those questions have clear, documented answers.
This article walks through exactly how AI Apps Builder for Jira handles security, data access, prompt privacy, API tokens, code transparency, and compliance. By the end, you’ll know whether it fits your organization’s security requirements.
What Is AI Apps Builder for Jira?
AI Apps Builder for Jira is a no-code, secure platform. It lets any Jira user — regardless of coding background — create a fully functional custom Jira app by describing what they need in plain language.
The AI agent generates a complete Forge app, including modules, permissions, UI, and backend logic. The generated app runs entirely inside Atlassian’s infrastructure and operates within Jira’s existing permission model.
It’s designed for Jira administrators, product managers, team leads, Atlassian consultants, developers, and all users who need custom Jira functionality without the technical skills, time, or resource overhead of building from scratch.
Why Jira Teams Need a No-Code Builder
Most Jira teams hit the same wall: the native configuration options run out before the real-world requirements do.
- No developer bandwidth — Custom Jira apps require Forge expertise. Most teams can’t prioritize it.
- Marketplace gaps — No off-the-shelf app fits your specific workflow, report, or approval process.
- Slow iteration cycles — Requesting and scoping a custom app through an internal dev team takes weeks.
- Misaligned tooling — Teams use spreadsheets, Confluence pages, or manual workarounds instead of building the right tool inside Jira.
- Compliance blind spots — Without custom fields, dashboards, or audit panels, teams can’t surface the data they need for internal reviews.
AI Apps Builder closes the gap between what Jira can do out of the box and what a team actually needs.
AI Apps Builder supports 31 Jira modules across Jira Software, Jira Service Management, and automation triggers. Here’s what that looks like in practice:
| Use Case | Module Type |
|---|---|
| Custom sprint capacity dashboard | jira:dashboardGadget |
| Workload and team performance tracker | jira:projectPage |
| SLA monitoring panel on issue view | jira:issuePanel |
| Incident or service health status page | jira:globalPage |
| Configuration change audit log | jira:adminPage |
| Custom field for tracking additional metadata | jira:customFieldType |
| Automated scheduled report | scheduledTrigger |
| JSM portal customization (header, footer, request detail) | jiraServiceManagement:portalHeader |
| In-context issue action (e.g. one-click escalate) | jira:issueAction |
| Personal settings or preferences page | jira:personalSettingsPage |
If you can describe what you need, the AI can generate the app structure to support it.
How to Build a Custom Jira App Without Code
Here’s the step-by-step process for generating a custom Forge app using AI Apps Builder:
- Install AI Apps Builder from the Atlassian Marketplace or use the standalone web version if your organization prefers to build outside your Jira environment before installing anything.
- Describe your app in plain language — write a prompt explaining what the app should do: what data it should display, where it should appear in Jira, and what actions it should support. Read how to write a good AI prompt.
- Review the app specification — before generation begins, AI Apps Builder produces a spec listing all requested scopes and permissions. Review and edit this before proceeding if needed.
- Generate the Forge app — the AI reads your prompt and generates a complete app based on Atlassian’s Forge documentation. It does not access your Jira data to do this.
- See your app in preview and optionally edit the code. You can download the generated code, inspect it, and modify it if needed. Nothing is a black box.
- Review permissions on the deployment page — a second checkpoint lets you confirm scopes before anything is deployed to your instance.
- Deploy or share with your Jira admin — deploy directly if you have Jira Administrator permissions. If not, generate a share link and hand it off to your admin for final approval and deployment.
How AI Apps Builder Handles Your Jira Data and Security
This is where most AI security reviews focus. Here are the specific answers to the questions that come up most often.
Does the AI Access Your Jira Data?
No. When you describe your app, the AI reads your prompt and generates code based on Atlassian’s Forge documentation. It does not connect to your Jira issues, projects, boards, or any instance data. Your Jira environment is not part of the generation process. You can build without security concerns.
Are Your Prompts Used to Train AI Models?
No. Neither Anthropic (the AI provider) nor the AI Apps Builder team uses your prompts or generated outputs for model training. Describing a sensitive internal workflow to generate an app does not expose that information to future users of the system.
Where Does App Data Live?
AI Apps Builder generates secure Forge apps that use Forge-hosted storage — Storage API, Forge SQL, and similar. That means:
- Data stays inside Atlassian’s cloud infrastructure
- Storage is scoped per installation (per customer site/tenant), so one organization’s data is never mixed with another’s
- Data is encrypted at rest using AES-256 and backed up by Atlassian
- If your Jira instance has a data residency setting pinned to a specific region (EU, US, etc.), Forge-hosted app data follows that setting automatically
The one exception: if an app makes calls to external systems (third-party APIs, remote backends), that data falls outside the Forge platform boundary. In that case, data residency, deletion, and security of external data becomes your organization’s responsibility.
What Happens to the API Token Used During Deployment?
AI Apps Builder asks for a Jira API token during deployment to authenticate your instance and verify administrator permissions. The token is used only for that single step and is not stored by AI Apps Builder after deployment completes.
If your security policies require keeping the token entirely under your control, manual deployment is available: download the Forge installer and deploy the app yourself without passing the token through the AI Apps Builder interface.
Who Is Responsible for App Security — Atlassian or You?
AI Apps Builder generates Forge apps, which operate under Forge’s shared responsibility model:
| Responsibility | Atlassian | You |
|---|---|---|
| Platform infrastructure and runtime | ✓ | |
| Managed storage and encryption | ✓ | |
| SOC 2 and ISO 27001 (platform boundary) | ✓ | |
| Backups of Forge-stored data | ✓ | |
| Writing secure app code | ✓ | |
| Choosing and minimizing scopes | ✓ | |
| Defining and documenting data egress | ✓ | |
| Your organization’s broader compliance (ISMS, internal policies) | ✓ |
Atlassian secures and operates the Forge platform. You’re responsible for how your app uses that platform.
Can You Review the Generated Code?
Yes. You can download, review, and edit the generated code at any point. You can also review and edit the app specification before generation begins and use manual deployment to keep the full process under your control.
Is AI Apps Builder Enterprise-Secure?
If a generated app runs entirely within Forge and uses only Forge-hosted storage — no external API calls — it benefits from Atlassian’s hardened runtime, AES-256 encryption at rest, automated backups, and the same security controls that underpin Atlassian’s SOC 2 and ISO 27001 certifications for the Forge platform.
A “zero-egress” Forge app — one that keeps all processing and storage inside Atlassian’s cloud — closely matches enterprise security expectations and can qualify for Atlassian’s “Runs on Atlassian” program. That program is designed for Forge apps that use only Atlassian-hosted compute and storage, support data residency, and tightly control any allowed external egress.
If the generated app does introduce data egress (calls to third-party APIs, external databases, or analytics services), then security and compliance for that external data falls to your organization, not Atlassian.
For teams with strict security policies, the standalone web version of AI Apps Builder lets you build and preview apps entirely outside your Jira environment and install only the finished Forge app when it’s ready.
For a full overview of SaaSJet security and compliance practices, visit the SaaSJet Trust Center.
Key Takeaways
- No AI access to Jira data — the AI reads your prompt and generates code from Forge documentation, not from your instance
- Prompts are not used for training — neither Anthropic nor AI Apps Builder uses your inputs or outputs to train models
- API tokens are not stored — used only during deployment, then discarded
- Scope review at two checkpoints — before generation and again before deployment, with the ability to edit at both stages
- Full code transparency — download, review, and edit generated code at any time
- Forge-hosted data follows your residency settings — data stays in your pinned region automatically
- Manual deployment option — keep the API token and the full deployment process under your control
- Standalone web version available — build and preview apps without installing anything in Jira first
Build Your First Secure Custom Jira App Today
If your team needs custom Jira functionality and doesn’t have developer resources to build it from scratch, AI Apps Builder gives you a secure, auditable path to get there.
Install AI Apps Builder for Jira and generate your first custom Forge app today. Have security review questions, compliance requirements, or deployment scenarios you want to walk through? Book a demo with the team.
Frequently Asked Questions
Does AI Apps Builder access my Jira data when generating apps?T
No. The AI reads your prompt and generates a Forge app based on Atlassian’s Forge documentation. It does not connect to your Jira issues, projects, boards, or any instance data.
Are my prompts used to train AI models?
No. Neither Anthropic nor the AI Apps Builder team uses your prompts or generated outputs for model training.
Can I review the generated code before deploying?
Yes. You can download, review, and edit the generated code at any time. You can also review and edit the app specification before generation begins and use manual deployment to keep the process entirely under your control.
Do I need to be a Jira admin to use AI Apps Builder?
No. Any Jira user can build and test an app. Jira Administrator permissions are required for deployment, since installing or upgrading a Forge app involves approving scopes and external domain access. If you’re not an admin, you can share a link to your finished app for an admin to deploy.
Where can I find information about security for Forge apps?
You can find all the information about security for Forge apps in the official Atlassian documentation: https://developer.atlassian.com/platform/forge/security/
