Last updated: June 2026
QR Hub for Confluence is designed with a minimal attack surface. Because the app has no backend, no external API calls, and no persistent storage, the categories of risk that affect most Atlassian apps simply do not apply here. This document describes the security architecture, the rationale for each design decision, and how to report concerns.
QR Hub for Confluence is a pure Atlassian Forge app. Its security properties derive directly from this architecture:
QR Hub requests the smallest set of OAuth 2.0 scopes needed for the content action feature to display metadata. All scopes are read-only and scoped to the minimum resource type required:
| Scope | Purpose |
|---|---|
read:page:confluence |
Read page title, content type, and version to display in the content action modal. |
read:space:confluence |
Read space name to display in the content action modal. |
read:confluence-user |
Read author display name to display in the content action modal. |
Scope additions in future versions will be accompanied by an updated listing on the Marketplace and this policy document.
QR codes are generated client-side using a JavaScript library running inside Atlassian’s Forge UI runtime. The URL encoded into a QR code is processed locally and never transmitted over the network to any service.
Metadata fetched to populate the content action modal (title, space, type, author) is retrieved via the standard Confluence REST API using the user’s existing session token. This data is displayed in the UI and then discarded — it is not logged, cached, or stored.
QR Hub uses Atlassian’s standard Forge-mediated API authentication. No credentials are stored or handled by the app itself. All token management is performed by the Forge runtime.
As a Forge app, QR Hub for Confluence inherits the security controls of Atlassian’s Forge platform:
For detailed information on Atlassian Forge’s security model, refer to Atlassian’s Forge security documentation.
If you discover a potential security issue in QR Hub for Confluence, please report it to Agilva Solutions before disclosing it publicly. We will acknowledge receipt within one business day and aim to resolve confirmed issues within 14 days.
We do not operate a bug bounty programme at this time, but we take all security reports seriously and will credit responsible disclosures if desired.
Security disclosures and questions can be submitted via our contact form. Please mark your message as a security enquiry so it is routed appropriately.