Secret payload
The sensitive text entered by the user, such as passwords, tokens, certificates, private keys, or other confidential handoff notes. This is stored in the Forge Secret Store.
A factual overview of how Secret Notes for Jira & JSM handles sensitive note content, metadata, permissions, retention, and platform boundaries.
Secret Notes is built as an Atlassian Forge app for Jira and Jira Service Management.
The sensitive text entered by the user, such as passwords, tokens, certificates, private keys, or other confidential handoff notes. This is stored in the Forge Secret Store.
Note title, Jira issue or JSM request reference, Atlassian site/cloud identifier, creator metadata, selected reveal audience, expiry/status information, counters, and metadata-only audit events.
The app is designed to avoid the common problem of secrets being pasted into regular Jira/JSM data surfaces.
Authorization is enforced server-side in Forge resolvers. The browser UI is not treated as a security boundary for reveal, revoke, visibility, cleanup, or audit decisions.
When a user reveals or copies a secret, that plaintext leaves the protected storage context and becomes visible to that user. If copied, it enters the operating-system clipboard.
Clipboard managers, browser extensions, operating-system sync features, or other tools outside the app may retain clipboard contents. Secret Notes warns users about this boundary, but cannot control software outside the Forge iframe.
For app security, privacy, or Marketplace review questions, contact Verdaro Labs through the support channel.