Installing Confluence creates a resource for the upstream API and the OAuth provider Keycard needs to mint tokens for it. Your app calls Keycard’s token exchange, gets back a token scoped to Confluence, and uses it to call the API directly. Every exchange is governed by your zone’s identity provider, access policies, and audit log - the OAuth client secret stays inside Keycard.
Scopes
Section titled “Scopes”OAuth permissions Keycard requests on install. Override or add scopes in Console.
- read:confluence-content.all
- default
- write:confluence-content
- default
- read:confluence-content.summary
- read:confluence-content.permission
- read:confluence-space.summary
- write:confluence-space
- write:confluence-file
- readonly:content.attachment:confluence
- read:confluence-props
- write:confluence-props
- read:confluence-user
- read:confluence-groups
- write:confluence-groups
- manage:confluence-configuration
- search:confluence
Install
Section titled “Install”Add Confluence to your zone so your app can exchange tokens for it.
Step 1 - Start the install in Keycard Console
Section titled “Step 1 - Start the install in Keycard Console”-
In your zone’s Keycard Console, go to Resources -> Explore Resources.
-
Search for
Confluenceand click into the catalog entry. -
The install dialog shows a Redirect URI. Copy it - you’ll paste it into Confluence in Step 2. Leave this Keycard tab open.
Step 2 - Create the OAuth app for Confluence
Section titled “Step 2 - Create the OAuth app for Confluence”Create an Atlassian OAuth app
Section titled “Create an Atlassian OAuth app”- Go to the Atlassian Developer Console
- Click Create → OAuth 2.0 integration
- Enter a name for your integration
- Click Create
Configure Confluence permissions
Section titled “Configure Confluence permissions”- Go to Permissions in your app settings
- Find Confluence and click Add
- Configure the scopes:
read:confluence-content.all- Read Confluence contentwrite:confluence-content- Create and edit pages
Set the callback URL
Section titled “Set the callback URL”- Go to Authorization in your app settings
- Click Add next to OAuth 2.0 (3LO)
- Enter the redirect URI provided by Keycard as the Callback URL
Get credentials
Section titled “Get credentials”- Go to Settings in your app
- Note the Client ID and Secret
Step 3 - Finish the install in Keycard Console
Section titled “Step 3 - Finish the install in Keycard Console”-
Switch back to the Keycard install dialog you left open in Step 1.
-
Paste the Client ID and Client Secret from Step 2.
-
Click Add Confluence. The resource is provisioned and your app can start exchanging tokens for it.
Use Confluence from your code
Section titled “Use Confluence from your code”Call Confluence from your application with a Keycard-issued token scoped to this resource.
After installing Confluence, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a Confluence token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://api.atlassian.com/ex/confluence", )
# Call Confluence directly with the exchanged token.r = requests.get( "https://api.atlassian.com/ex/confluence/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://api.atlassian.com/ex/confluence",});
// Call Confluence directly with the exchanged token.const res = await fetch("https://api.atlassian.com/ex/confluence/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring Confluence into your zone.
Empty accessible-resources response
The user hasn’t granted access to any Atlassian sites. During the OAuth consent flow, ensure you select at least one site. If re-authorizing, you may need to revoke and re-grant access.
Error 401: Unauthorized
The token is invalid or expired. Atlassian tokens expire after a short period. Reconnect the provider in Keycard Console - Keycard will handle the refresh if a refresh token was issued.
Error: consent_required
The app’s permissions were updated after the user last authorized it. The user needs to re-authorize to grant the new scopes. Remove the provider connection and connect again.
Next steps
Section titled “Next steps”What to do once Confluence is installed.
Now do this
- Call Confluence from your code - see the
Use Confluence from your codesection above for Python and TypeScript samples.
Recommended
- Decide who can use it - write access policies scoped to the Confluence resource so only the right users and apps reach the API.
- Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.
Optional
- Add MCP access too - install the Atlassian MCP server for AI agents that need Confluence’s tools, not just the REST API.