Runs on Atlassian Jira & JSM Forge Secret Store

Secret Notes for
Jira & JSM.

Keep passwords, tokens, certificates, private keys, and other sensitive handoff notes out of Jira comments, fields, and request threads.

// live on the Atlassian Marketplace · free trial · free for 1–10 user instances · no external services

Secret Notes Jira issue panel
Secret content is stored in the Forge Secret Store and revealed only after an explicit user action.
Production API token Read once · restricted to 2 users
Vendor certificate password 24h left · internal only
Audit trail

Created → reveal attempted → revealed → revoked

// problem

Jira is not a secret manager.

Teams still paste credentials, one-time passwords, temporary tokens, certificate passphrases, and private operational notes into issue comments or JSM request replies because it is convenient in the moment.

Secret Notes gives that workflow a safer place inside Jira and JSM: metadata stays visible enough to coordinate work, while plaintext is stored separately and revealed through controlled actions.

// capabilities

Built for sensitive handoffs inside Atlassian.

Jira + JSM surfaces

Create and reveal secret notes from a Jira issue panel or a Jira Service Management portal request detail panel.

Reveal controls

Use the default issue/request audience, internal-only mode, or restrict a note to selected users and groups.

Expiry policies

Choose read-once self-destruction, 24-hour expiry, 7-day expiry, or manual revoke. Every secret-store write also has a 365-day hard backstop.

Explicit reveal

Secrets are not displayed by default. Read-once notes require extra confirmation before the first and only reveal.

Metadata audit trail

Track created, reveal attempted, revealed, expired, and revoked events without storing plaintext in audit records.

Operational guardrails

Limits on payload size, notes per issue, reveal attempts, access targets, and audit retention reduce abuse and runaway data.

// security posture

Forge-first, no external backend.

Designed to keep the sensitive workflow inside Atlassian infrastructure and avoid unnecessary vendor-side exposure.

Read full Security & Privacy details →
Runs on AtlassianHosted entirely on Forge. No Forge Remote, no external services, and no third-party telemetry or error-reporting SDKs.
Secret Store onlyPlaintext secret payloads are written only to the Forge Secret Store. They are not written to Jira fields, comments, issue properties, normal KVS metadata, logs, or audit events.
Server-side authorizationReveal, revoke, visibility, cleanup, and audit checks run inside Forge resolvers. UI-supplied flags are not treated as a security boundary.
Tenant-aware storageKeys are namespaced by cloudId and issue/request reference, with Forge installation scoping as an additional boundary.
JSM-aware audience checksReporter and participant checks support portal request workflows without returning stakeholder account ids to the browser.
Lifecycle cleanupExpired and destroyed secrets are cleaned up best-effort, tenant data is purged on uninstall, and user references are scrubbed on Atlassian anonymization events.
// boundaries

Clear about what it does not do.

Secret Notes reduces secret leakage in Jira/JSM workflows, but it is not a replacement for your central password manager or vault. If a user copies a revealed secret, that plaintext enters the operating-system clipboard and may be retained by clipboard managers or sync tools.

The app warns users about clipboard handling because that boundary exists outside the Forge iframe.

// available now

Free trial, with a small-team free tier.

Secret Notes for Jira & JSM is live on the Atlassian Marketplace as a paid app, with a free trial and free use for 1–10 user instances. Install it directly from the Marketplace listing.