π Secure MCP Server
Overviewβ
The Secure MCP Server for Confluence turns your Confluence site into an MCP (Model Context Protocol) server, so AI clients like Claude Desktop can search, read, and write your Confluence content directly β using each user's own permissions, not a shared service account.
Who is this app for?β
- Confluence users who want their AI assistant to search, read, and summarize Confluence content without copy-pasting pages into a chat window.
- Confluence admins who need to give AI clients access to documentation while keeping it scoped to specific spaces, auditable, and instantly revocable.
- Security-conscious teams who can't allow a shared API key or service account to have blanket read access to every space.
How it works, in shortβ
- A Confluence user opens the Connect MCP page and generates a personal session token (valid up to 90 days).
- They paste that token into their MCP client's config, pointed at this app's endpoint URL.
- The MCP client calls tools like
confluence_search_pagesorconfluence_create_pageover that connection. - The app checks the token, then calls the Confluence REST API as that user β so the AI can only ever see or change content the user already has access to.
- Admins can optionally restrict which tools are available, limit them to a subset of spaces, or add an extra CQL filter, on top of each user's own permissions.
The app exposes seven tools across three categories β read (search, list spaces, read pages and comments), page editing (create and update pages), and commenting (add a comment). Every one of them acts as the requesting user, and admins can turn whole categories off. See the Tools Reference for the full list.
Quick Linksβ
- Getting Started β Generate a session token and connect an MCP client (e.g. Claude Desktop)
- Tools Reference β Every MCP tool, its parameters, and example prompts
- Admin Guide β Install the app, choose which tools and content are exposed, and manage user sessions
Features Overviewβ
π Per-user permissions, not a shared keyβ
Every call to Confluence is made as the requesting user, via their own session token β never a shared service account. The AI can never see content the user couldn't already see themselves.
π― Admin-controlled content scopeβ
Admins can limit MCP access to specific spaces, exclude others, or layer an arbitrary CQL filter on top of users' own permissions β all without a redeploy.
β±οΈ Self-service, expiring tokensβ
Users generate and revoke their own tokens from a single Connect MCP page, with a maximum lifetime of 90 days and only one active token per user at a time.
π οΈ Admin-controlled tool accessβ
Tools are grouped into three categories β read, create pages (create/update), and add comments. All three are on by default, and an admin can disable any of them site-wide from a single settings page. Disabled tools vanish from every connected client and their calls are refused server-side.
π§ͺ Prompt-injection defenseβ
Confluence content is written by people, not vetted for AI consumption. By default, page and comment bodies are scanned for hidden instruction-like markup before being handed to the AI client, and flagged as untrusted data β closing off a common indirect prompt-injection vector. Admins can disable this per-site if it causes false positives.
π Full audit trailβ
Every tool call β who, what tool, what target, allowed or denied, and the resolved search query for searches β is logged and retained for 30 days, viewable and exportable to CSV from the admin settings page. See the Admin Guide.