Admin Guide
This guide covers installing the app, scoping what content it can expose, and managing active user sessions.
Installationβ
Install the app from the Atlassian Marketplace.
What gets added to your siteβ
- Connect MCP global page β available to all users, where each person generates their personal session token (see Getting Started).
- Secure MCP Server global settings page β visible to site admins only, where you choose which tools and content are exposed and review active sessions (this guide).
- An endpoint that MCP clients connect to. Its URL is unique per site/environment and shown on the Connect MCP page.
Permissions the app requestsβ
The app requests Confluence scopes to read pages, spaces, comments, and labels, and to write pages and comments β all on behalf of users, with impersonation (write:confluence-content, write:page:confluence, write:comment:confluence). The write scopes are only exercised when the corresponding tool category is enabled (see Controlling which tools are available). It does not egress any content outside of Atlassian Confluence and Forge instances. Users can only access or change content their own Confluence permissions allow, further narrowed by any global filters defined by admins.
Configuring content scopeβ
Open the Secure MCP Server settings page β Settings tab.
Space accessβ
Choose one:
- All spaces allowed (default) β no space-level restriction; users see whatever they personally have access to.
- Only selected spaces allowed β pick one or more spaces; MCP search/list results are limited to those spaces, even for users with broader Confluence access.
- All spaces except selected β pick spaces to exclude; everything else remains visible.
Additional CQL filterβ
An optional free-text CQL expression, applied on top of the space restriction, e.g.:
type = page AND label = "public"
This is ANDed with the space filter and with every search/list query the tools make. Use it to restrict to specific labels, content types, or other CQL-expressible conditions site-wide.
Previewing the filterβ
Click Check allowed content to run your current filter (space + CQL) against live Confluence data and see exactly which pages would be matched, with space and label columns, before saving. Use this to sanity-check a filter doesn't accidentally exclude (or include) more than intended.
Click Save to apply. The filter takes effect immediately for all MCP tool calls β no redeploy needed.
Note: this filter narrows what's reachable through MCP tools. It does not grant access beyond a user's existing Confluence permissions β it can only restrict further, never expand.
Content sanitizationβ
Still on the Settings tab, under Content safety, is an Enable content sanitization checkbox (on by default). When enabled, page and comment bodies returned by the read tools are scanned for indirect prompt-injection markup β instruction-like tags (<system>, <tool_call>, etc., including their HTML-entity-encoded forms) and hidden HTML comments that a malicious or compromised page could use to try to hijack the connected AI client β and neutralized before being returned, with a note flagging the content as untrusted data.
Turning it off returns raw Confluence content, including any embedded instructions; the UI shows a warning when it's off. This is meant as an escape hatch for false positives on trusted content, not a default posture. Toggling this setting is recorded in the audit log.
Controlling which tools are availableβ
On the same Settings tab, the Enabled tools section controls which categories of MCP tools connected clients can use. There are three checkboxes, all enabled by default:
- Read β search, list spaces, read pages and comments β
confluence_search_pages,confluence_get_spaces,confluence_get_page,confluence_get_page_comments. - Create pages β create and update pages β
confluence_create_page,confluence_update_page. - Add comments β add comments to pages β
confluence_add_comment.
Unchecking a category takes effect immediately for every user, with no redeploy: the tools in that category disappear from each client's tool list, and any attempt to call them is rejected server-side. Use this to, for example, allow reading and commenting but not page creation, or to keep the whole integration read-only by leaving only Read enabled.
See the Tools Reference for what each tool does. As with content scope, disabling a category can only restrict what's reachable β it never grants access beyond a user's own Confluence permissions.
Managing user sessionsβ
Open the Secure MCP Server settings page β Usage tab.
You'll see every active and expired session token, by account ID, with creation date, expiry date, last-usage timestamp, and status (Active / Expired). Clicking the last-usage timestamp opens the detail of that most recent tool call β same information as an audit log entry (tool, target, decision, status). A user with no recorded calls shows a dash instead of a timestamp.
Use the search box above the table to filter to a specific user. A refresh button re-fetches the list, and the "more" menu offers Delete all to revoke every active token at once (e.g. during an incident).
From this table you can delete any token directly β useful for:
- Offboarding a user immediately, without waiting for them to revoke it themselves.
- Cleaning up after a suspected token leak.
- General housekeeping of expired entries.
There is no way to view the token value itself from this page β only its metadata. Deleting an entry here has the same effect as the user clicking "Revoke access" themselves.
Audit logβ
Open the Secure MCP Server settings page β Audit tab.
Every authenticated MCP tool call is recorded here, newest first β allowed and denied alike β with:
- Time and user (who made the call)
- Tool name and its target (space and/or page, when applicable)
- Decision β allowed or denied (e.g. by a disabled tool category or a content-scope restriction), with the deny reason on hover
- Status β ok or error
- For
confluence_search_pagescalls, the fully-resolved CQL query that was actually run against Confluence β useful for confirming exactly what a user's natural-language request translated to.
Config changes that affect security posture (currently: toggling content sanitization) are also recorded as their own entry.
Entries are retained for 30 days, then automatically expire. Use the refresh button to pull in new entries, Previous/Next to page through history, or Export to CSV to download the full log (up to the export cap) for compliance evidence or offline review.
Operational notesβ
- Tokens live in Forge KVS storage, scoped to this app β they are not visible to other apps or outside the Forge platform.
- Each user can hold only one active token; generating a new one revokes the previous one automatically on the server side.
- The maximum token lifetime is fixed at 90 days; there is currently no way to issue a longer-lived token.