# Setting up Confluence (Cloud) for connecting to Amazon Q Business Setting up Confluence (Cloud) Before you connect Confluence (Cloud) to Amazon Q Business, you need to create and retrieve the Confluence (Cloud) credentials you will use to connect Confluence (Cloud) to Amazon Q. You will also need to add any permissions needed by Confluence (Cloud) to connect to Amazon Q. The following sections give you an overview of how to configure Confluence (Cloud) to connect to Amazon Q using either basic authentication or OAuth 2.0 authentication. **Topics** + [ # Basic authentication ](confluence-cloud-credentials-basic.md) + [ # OAuth 2.0 authentication ](confluence-cloud-credentials-oauth.md) + [ # How Amazon Q works with Confluence (Cloud) access and refresh tokens ](confluence-cloud-credentials-notes.md) + [ # Checking Confluence (Cloud) connectivity ](confluence-cloud-connection-check.md) # Basic authentication You can connect Amazon Q to Confluence (Cloud) using basic authentication credentials. The following procedure gives you an overview of how to configure Confluence (Cloud) to connect to Amazon Q using basic authentication. **Configuring Confluence (Cloud) basic authentication for Amazon Q** 1. Log in to your account from the [Confluence (Cloud)](https://confluence.atlassian.com/). Note the username you logged in with. You will need this later to connect to Amazon Q. 1. From your Confluence (Cloud) home page, note your Confluence (Cloud) URL from your Confluence browser URL. For example: *https://example.atlassian.net*. You will need this later to connect to Amazon Q. 1. Then, go to [Security]( https://id.atlassian.com/manage-profile/security/api-tokens.) page in Confluence (Cloud). 1. From the **API tokens** page, select **Create API token**. ![\[Screenshot of the Atlassian account settings page showing where to access API tokens.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-1.png) 1. In the **Create an API token** dialog box that opens, for **Label**, add a name for your API token. Then, select **Create**. ![\[Screenshot of the "Create an API token" dialog box where users enter a label for their API token.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-2.png) 1. From the **Your new API token** dialog box, copy the API token and save it in a text editor of your choice. You can't retrieve the API token once you close the dialog box. ![\[Screenshot of the "Your new API token" dialog box displaying the generated API token that needs to be copied and saved.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-3.png) 1. Select **Close**. You now have the username, Confluence (Cloud) URL, and Confluence (Cloud) API token you need to connect to Amazon Q with basic authentication. For more information, see [Manage API tokens for your Atlassian account](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) in Atlassian Support. ## Atlassian Admin Authentication To ensure Amazon Q can access all user and group information from your Confluence (Cloud) instance, you must provide Atlassian admin credentials. These credentials allow Amazon Q to sync user information regardless of individual email visibility settings. ### Get your Atlassian admin credentials 1. Sign in to the [Atlassian admin portal](https://admin.atlassian.com/) with administrator permissions. 1. Open the Administration app for your organization. The URL should look like: `https://admin.atlassian.com/o/{ORGANIZATION-UUID}/overview` 1. Choose **Settings**, then choose **API Keys**. 1. Choose **Create API key**. 1. Select all available scopes for the API key. Note that the Confluence APIs that fetch user and group information require full scope access. 1. Copy and save both the **Organization ID** and **API Key**. Note that API keys expire. Monitor the expiration date and update your data source credentials before the key expires. ### Get your Directory ID 1. Use the Atlassian Admin Workspace API to get your Directory ID. Run the following command: ``` curl --request POST \ --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \ --header 'Authorization: Bearer {API-KEY}' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' ``` 1. In the API response, find the workspace entry that matches your Confluence Cloud instance. Look for `"type": "Confluence"`. Verify the workspace name matches your instance and then copy the directory value from the attributes section. If your instance isn't listed, use the pagination cursor in the `links.next` field to view additional pages. ``` curl --request POST \ --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \ --header 'Authorization: Bearer {API-KEY}' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{"cursor": "{NEXT-PAGE-TOKEN}"}' ``` ### Update your Confluence data source When creating or updating your Confluence Cloud data source, provide these three values in your AWS Secrets Manager secret: 1. Admin API Key 1. Organization ID 1. Directory ID For more information about Atlassian admin API scopes, see [Atlassian API scopes documentation](https://developer.atlassian.com/cloud/admin/scopes/). For API details, see [Atlassian Admin Workspace API reference](https://developer.atlassian.com/cloud/admin/organization/rest/api-group-workspaces/#api-group-workspaces). # OAuth 2.0 authentication You can connect Amazon Q to Confluence (Cloud) using OAuth 2.0 authentication credentials. The following procedures give you an overview of how to configure Confluence (Cloud) to connect to Amazon Q using OAuth 2.0 authentication. **Topics** + [ ## Step 1: Retrieving username and Confluence (Cloud) URL ](#confluence-cloud-credentials-url) + [ ## Step 2: Configuring an OAuth 2.0 app integration ](#confluence-cloud-credentials-oauth-app) + [ ## Step 3: Retrieving Confluence (Cloud) client ID and client Secret ](#confluence-cloud-credentials-id-secret) + [ ## Step 4: Generating an Confluence (Cloud) access token ](#confluence-cloud-credentials-access) + [ ## Step 5: Generating a Confluence (Cloud) refresh token ](#confluence-cloud-credentials-refresh) + [ ## Step 6: Generating a new Confluence (Cloud) access token using a refresh token ](#confluence-cloud-credentials-refresh-access) ## Step 1: Retrieving username and Confluence (Cloud) URL To connect Confluence (Cloud) to Amazon Q, you need your Confluence (Cloud) username and your Confluence (Cloud) URL. The following procedure shows you how to retrieve these. **Retrieving username and Confluence (Cloud) URL** 1. Log in to your account from the [Confluence (Cloud)](https://confluence.atlassian.com/). Note the username you logged in with. You will need this later to connect to Amazon Q. 1. From your Confluence (Cloud) home page, note your Confluence (Cloud) URL from your Confluence browser URL. For example: *https://example.atlassian.net*. You will need this later to both configure your OAuth 2.0 token and connect to Amazon Q. ## Step 2: Configuring an OAuth 2.0 app integration To connect Confluence (Cloud) to Amazon Q using OAuth 2.0 authentication, you need to create a Confluence (Cloud) OAuth 2.0 app with the necessary permissions. The following procedure shows you how to create this. **Configuring an OAuth 2.0 app integration** 1. Log in to your account from the [Atlassian Developer page](https://developer.atlassian.com/). 1. Select the profile icon from the top-right corner. Then, from the dropdown menu that opens, select **Developer Console**. ![\[Screenshot of the Atlassian Developer Console showing the "Create" button and options for creating a new integration.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-4.png) 1. From the **Welcome** page, select **Create** and then select **OAuth 2.0 integration**. ![\[Screenshot of the Atlassian Developer Console welcome page showing the "Create" dropdown menu with the "OAuth 2.0 integration" option highlighted.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-5.png) 1. On the **Create a new OAuth 2.0 (3LO) integration** page, for **Name**, enter a name for the OAuth 2.0 application you are creating. Then, select the **I agree to be bound by Atlassian's developer terms** checkbox, and select **Create**. ![\[Screenshot of the "Create a new OAuth 2.0 (3LO) integration" page where users enter a name for the OAuth application and agree to the Atlassian developer terms.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-6.png) The console will display a summary page outlining the details of the OAuth 2.0 app created. ![\[Screenshot of the OAuth 2.0 app summary page showing details of the created application including name, ID, and other configuration information.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-7.png) 1. From the left navigation menu, choose **Authorization**. 1. From the **Authorization** page, choose **Add** to add **OAuth 2.0 (3LO)** to your app. ![\[Screenshot of the OAuth 2.0 app's Authorization page showing the "Add callback URL" button that users need to click to configure the callback URL for the OAuth flow.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-8.png) 1. On the **OAuth 2.0 authorization code grants (3LO) for apps**, enter the Confluence (Cloud) URL you copied as the **Callback URL** and then choose **Save changes**. ![\[Screenshot of the "OAuth 2.0 authorization code grants (3LO) for apps" section showing the Callback URL field where users enter the Confluence URL for the OAuth redirect.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-9.png) 1. From the **Authorization URL generator** section that appears, choose **Add APIs** to add APIs to your app. This will redirect you to the **Permissions** page. 1. On the **Permissions** page, for **Scopes**, navigate to **User Identity API**. Select **Add**, and then select **Configure**. ![\[Screenshot of the Permissions page showing the "User Identity API" option that needs to be selected to configure user identity permissions for the OAuth app.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-10.png) 1. On the **User Identity API** page, choose **Edit Scopes**, and the add the following `read` scopes: + **`read:me`** – View active user profile + **`read:account`** – View user profiles ![\[Screenshot of the User Identity API permissions page showing the available scopes that can be selected for the OAuth application, with read scopes highlighted.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-12.png) Then, select **Save**. 1. Return to the **Permissions** page. From **Scopes**, navigate to **Confluence API**. Select **Add**, and the select **Configure**. ![\[Screenshot of the Permissions page showing the Confluence API option that needs to be selected to configure API permissions for accessing Confluence content.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-11.png) 1. Navigate to the **Granular scopes** page. ![\[Screenshot of the Confluence API Granular scopes page showing the available API permission scopes that can be configured for the OAuth application.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-14.png) Then, choose **Edit Scopes**, and the add the following `read` scopes: + **`read:content:confluence`** – View detailed contents + **`read:content-details:confluence`** – View content details + **`read:space-details:confluence`** – View space details + **`read:audit-log:confluence`** – View audit records + **`read:page:confluence`** – View pages + **`read:attachment:confluence`** – View and download content attachments + **`read:blogpost:confluence`** – View blogposts + **`read:custom-content:confluence`** – View custom content + **`read:comment:confluence`** – View comments + **`read:template:confluence`** – View content templates + **`read:label:confluence`** – View labels + **`read:watcher:confluence`** – View content watchers + **`read:group:confluence`** – View groups + **`read:relation:confluence`** – View entity relationships + **`read:user:confluence`** – View user details + **`read:configuration:confluence`** – View Confluence settings + **`read:space:confluence`** – View space details + **`read:space.permission:confluence`** – View space permissions + **`read:space.property:confluence`** – View space properties + **`read:user.property:confluence`** – View user properties + **`read:space.setting:confluence`** – View space settings + **`read:analytics.content:confluence`** – View analytics for content + **`read:content.permission:confluence`** – Check content permissions + **`read:content.property:confluence`** – View content properties + **`read:content.restriction:confluence`** – View content restrictions + **`read:content.metadata:confluence`** – View content summaries + **`read:inlinetask:confluence`** – View tasks + **`read:task:confluence`** – View tasks + **`read:permission:confluence`** – View content restrictions and space permissions + **`read:whiteboard:confluence`** – View whiteboards + **`read:app-data:confluence`** – Read app data + *(Optional) ***`read:database:confluence`** – Read database + *(Optional) ***`read:embed:confluence `** – Read embeddings + *(Optional) ***`read:folder:confluence `** – Read folders + *(Optional) ***`read:email-address:confluence `** – Read email addresses Then, select **Save**. For more information, see [Implementing OAuth 2.0 (3LO)](https://developer.atlassian.com/cloud/oauth/getting-started/implementing-oauth-3lo/) and [Determining the scopes required for an operation](https://developer.atlassian.com/cloud/oauth/getting-started/determining-scopes/) in Atlassian Developer. ### Atlassian Admin Authentication To ensure Amazon Q can access all user and group information from your Confluence (Cloud) instance, you must provide Atlassian admin credentials. These credentials allow Amazon Q to sync user information regardless of individual email visibility settings. #### Get your Atlassian admin credentials 1. Sign in to the [Atlassian admin portal](https://admin.atlassian.com/)with administrator permissions. 1. Open the Administration app for your organization. The URL should look like: `https://admin.atlassian.com/o/{ORGANIZATION-UUID}/overview` 1. Choose **Settings**, then choose **API Keys**. 1. Choose **Create API key**\$1 1. Select all available scopes for the API key. Note that the Confluence APIs that fetch user and group information require full scope access. 1. Copy and save both the **Organization ID** and **API Key**. Note that API keys expire. Monitor the expiration date and update your data source credentials before the key expires. #### Get your Directory ID 1. Use the Atlassian Admin Workspace API to get your Directory ID. Run the following command: ``` curl --request POST \ --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \ --header 'Authorization: Bearer {API-KEY}' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' ``` 1. In the API response, find the workspace entry that matches your Confluence Cloud instance. Look for `"type": "Confluence"`. Verify the workspace name matches your instance and then copy the directory value from the attributes section. If your instance isn't listed, use the pagination cursor in the `links.next` field to view additional pages. ``` curl --request POST \ --url 'https://api.atlassian.com/admin/v2/orgs/{ORGANIZATION-ID}/workspaces' \ --header 'Authorization: Bearer {API-KEY}' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{"cursor": "{NEXT-PAGE-TOKEN}"}' ``` #### Creating your Confluence data source When creating your Confluence Cloud data source, provide these three values in your AWS Secrets Manager secret: 1. Admin API Key 1. Organization ID 1. Directory ID For more information about Atlassian admin API scopes, see [Atlassian API scopes documentation](https://developer.atlassian.com/cloud/admin/scopes/). For API details, see [Atlassian Admin Workspace API reference](https://developer.atlassian.com/cloud/admin/organization/rest/api-group-workspaces/#api-group-workspaces). #### Updating your Confluence data source To update an existing Confluence Cloud data source with new admin credentials, add the following key pairs to your AWS Secrets Manager secret: 1. adminApiKey, \$1Admin API Key\$1 1. organizationId, \$1Organization ID\$1 1. directoryId, \$1Directory ID\$1 For more information about Atlassian admin API scopes, see [Atlassian API scopes documentation](https://developer.atlassian.com/cloud/admin/scopes/). For API details, see [Atlassian Admin Workspace API reference](https://developer.atlassian.com/cloud/admin/organization/rest/api-group-workspaces/#api-group-workspaces). ## Step 3: Retrieving Confluence (Cloud) client ID and client Secret To connect Confluence (Cloud) to Amazon Q using OAuth 2.0 authentication, you need to provide a Confluence (Cloud) client ID and client secret. The following procedure shows you how to retrieve these. **Note** You must create an OAuth 2.0 app before you can retrieve the client ID and client secret. See [Configuring an OAuth 2.0 app integration](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/confluence-cloud-credentials.html#confluence-cloud-credentials-oauth-app) for more details. **Retrieving Confluence (Cloud) client ID and client secret** + From the left navigation menu, choose **Settings**. Then, scroll down to **Authentication details** section and copy and save the following in a text editor of your choice: + Client ID – You will enter this as **App key** in the Amazon Q console. + Client Secret – You will enter this as **App secret** in the Amazon Q console. ![\[Screenshot of the OAuth application details page showing the client ID and client secret that need to be copied for API authentication with Confluence.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-15.png) You will need these to generate your Confluence (Cloud) OAuth 2.0 token and also to connect Amazon Q to Confluence (Cloud). For more information, see [Implementing OAuth 2.0 (3LO)](https://developer.atlassian.com/cloud/oauth/getting-started/implementing-oauth-3lo/) and [Determining the scopes required for an operation](https://developer.atlassian.com/cloud/oauth/getting-started/determining-scopes/) in Atlassian Developer. ## Step 4: Generating an Confluence (Cloud) access token To connect Confluence (Cloud) to Amazon Q, you need to generate an access token. The following procedure outlines how to generate an access token in Confluence (Cloud). **Generating your Confluence (Cloud) access token** 1. Log in to your account from the [Atlassian Developer page](https://developer.atlassian.com/). 1. Open the OAuth 2.0 app you want to generate a refresh token for. 1. From the left navigation menu, choose **Authorization** again. Then, for **OAuth 2.0 (3LO)**, choose **Configure**. 1. From the **Authorization** page, from **Authorization URL generator**, from **Granular Confluence API authorization URL**, copy the URL and save it in a text editor of your choice. ![\[Authorization page showing URL generator fields for User identity, Classic, and Granular Confluence API.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-16.png) The URL is of the following format: ``` https://auth.atlassian.com/authorize? audience=api.atlassian.com &client_id=YOUR_CLIENT_ID &scope=REQUESTED_SCOPE%20REQUESTED_SCOPE_TWO &redirect_uri=https://YOUR_APP_CALLBACK_URL &state=YOUR_USER_BOUND_VALUE &response_type=code &prompt=consent ``` 1. In the saved authorization URL, update the `state=${YOUR_USER_BOUND_VALUE}` parameter value to any text of your choice. For example, `state=`*sample\$1text*. For more information, see [What is the state parameter used for?](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#what-is-the-state-parameter-used-for-) in Atlassian Support. 1. Open a web browser of your choice. Then, paste the authorization URL you copied into the browser URL. On the page that opens up, make sure everything is correct and then select **Accept**. ![\[Atlassian account access request screen showing permissions and a warning about development mode.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-17.png) You will be returned to your Confluence (Cloud) home page. 1. Copy the URL of the Confluence (Cloud) home page and save it in a text editor of your choice. The URL contains the authorization code for your application. You will need this code to generate your Confluence (Cloud) access token. The whole section after `code=` is the authorization code. 1. Navigate to Postman. If you don't have Postman, you can also choose to use cURL to generate a Confluence (Cloud) access token. Use the following cURL command to do so: ``` curl --location 'https://auth.atlassian.com/oauth/token' \ --header 'Content-Type: application/json' \ --data '{"grant_type": "authorization_code", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "code": "AUTHORIZATION_CODE", "redirect_uri": "YOUR_CALLBACK_URL"}' ``` 1. On the Postman home page, select `POST` as the method, and then enter the following URL in the **Enter URL or paste text** box: `https://auth.atlassian.com/oauth/token`. 1. Then, select **Body** from the menu, and select **raw** **JSON**. ![\[API request interface showing POST method, URL, and JSON body with OAuth parameters.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-18.png) 1. In the text box, enter the following code extract, replacing the fields with your credential values: ``` {"grant_type": "authorization_code", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "code": "YOUR_AUTHORIZATION_CODE", "redirect_uri": "https://YOUR_APP_CALLBACK_URL"} ``` 1. Then, select **Send**. If everything is configured correctly, Postman will return an `access-token`. Copy the access token and save it using a text editor of your choice. You will need it to connect Confluence (Cloud) to Amazon Q. For more information, see [Implementing OAuth 2.0 (3LO)](https://developer.atlassian.com/cloud/oauth/getting-started/implementing-oauth-3lo/) in Atlassian Developer. ## Step 5: Generating a Confluence (Cloud) refresh token The access token you use to connect Confluence (Cloud) to Amazon Q using OAuth 2.0 authentication expires after 1 hour. When it does, you can either repeat the whole authorization process and generate a new access token. Or, you can choose to generate a refresh token. You can use the refresh token to regenerate a new access token when an existing access token expires. To do this, you add a `%20offline_access` parameter to the end of the `scope` value in the authorization URL you used to generate your access token. The following procedure shows you how to generate a refresh token. **Generating an Confluence (Cloud) refresh token** 1. Log in to your account from the [Atlassian Developer page](https://developer.atlassian.com/). 1. Open the OAuth 2.0 app you want to generate a refresh token for. 1. From the left navigation menu, choose **Authorization** again. Then, for **OAuth 2.0 (3LO)**, choose **Configure**. 1. From the **Authorization** page, from **Authorization URL generator**, from **Granular Confluence API authorization URL**, copy the URL and save it in a text editor of your choice. ![\[Authorization page showing URL generator fields for User identity, Classic, and Granular Confluence API.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-16.png) 1. In the saved authorization URL, update the `state=${YOUR_USER_BOUND_VALUE}` parameter value to any text of your choice. For example, `state=`*sample\$1text*. For more information, see [What is the state parameter used for?](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#what-is-the-state-parameter-used-for-) in Atlassian Support. 1. Then, add the following text at the end of the `scope` value in your authorization URL: `%20offline_access` and copy it. For example: ``` https://auth.atlassian.com/authorize? audience=api.atlassian.com &client_id=YOUR_CLIENT_ID &scope=REQUESTED_SCOPE%20REQUESTED_SCOPE_TWO%20offline_access &redirect_uri=https://YOUR_APP_CALLBACK_URL &state=YOUR_USER_BOUND_VALUE &response_type=code &prompt=consent ``` 1. Open a web browser of your choice and paste the modified authorization URL you copied into the browser URL. On the page that opens up, make sure everything is correct and then select **Accept**. ![\[Atlassian account access request screen showing permissions and a warning about development mode.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-17.png) You will be returned to the Confluence (Cloud) console. 1. Copy the URL of the Confluence (Cloud) home page and save it in a text editor of your choice. The URL contains the authorization code for your application. You will need this code to generate your Confluence (Cloud) refresh token. The whole section after `code=` is the authorization code. 1. Navigate to Postman. If you don't have Postman, you can also choose to use cURL to generate a Confluence (Cloud) access token. Use the following cURL command to do so: ``` curl --location 'https://auth.atlassian.com/oauth/token' \ --header 'Content-Type: application/json' \ --data '{"grant_type": "authorization_code", "client_id": "YOUR CLIENT ID", "client_secret": "YOUR CLIENT SECRET", "code": "AUTHORIZATION CODE", "redirect_uri": "YOUR CALLBACK URL"}' ``` 1. On the Postman home page, select `POST` as the method, and then enter the following URL in the **Enter URL or paste text** box: `https://auth.atlassian.com/oauth/token`. 1. Then, select **Body** from the menu, and select **raw** **JSON**. ![\[API request interface showing POST method, URL, and JSON body with OAuth parameters.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-18.png) 1. In the text box, enter the following code extract, replacing the fields with your credential values: ``` {"grant_type": "authorization_code", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "code": "YOUR_AUTHORIZATION_CODE", "redirect_uri": "https://YOUR_APP_CALLBACK_URL"} ``` 1. Then, select **Send**. If everything is configured correctly, Postman will return an `refresh-token`. Copy the refresh token and save it using a text editor of your choice. You will need it to connect Confluence (Cloud) to Amazon Q. For more information, see [Implementing a Refresh Token Flow](https://developer.atlassian.com/cloud/oauth/getting-started/refresh-tokens/) in Atlassian Developer. ## Step 6: Generating a new Confluence (Cloud) access token using a refresh token You can use the refresh token you generated to create a new access token-refresh token pair when an existing access token expires. The following procedure shows you how to generate a refresh token. **Generating an Confluence (Cloud) access token-refresh token pair** 1. Copy the refresh token you generated following the steps in [Step 5: Generating a Confluence (Cloud) refresh token](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/confluence-cloud-credentials.html#confluence-cloud-credentials-refresh). 1. Navigate to Postman. If you don't have Postman, you can also choose to use cURL to generate a new Confluence (Cloud) access token. Use the following cURL command to do so: ``` curl --location 'https://auth.atlassian.com/oauth/token' \ --header 'Content-Type: application/json' \ --data '{"grant_type": "refresh_token", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "refresh_token": "YOUR_REFRESH_TOKEN"}' ``` 1. On the Postman home page, select `POST` as the method, and then enter the following URL in the **Enter URL or paste text** box: `https://auth.atlassian.com/oauth/token`. 1. Then, select **Body** from the menu, and select **raw** **JSON**. ![\[Screenshot of the Postman interface showing how to set up a POST request to refresh an access token using the refresh token.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/confluence-20.png) 1. In the text box, enter the following code extract, replacing the fields with your credential values: ``` {"grant_type": "refresh_token", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "refresh_token": "YOUR REFRESH TOKEN"} ``` 1. Then, select **Send**. If everything is configured correctly, Postman will return a new access token-refresh token pair in the following format: ``` { "access_token": "string, "expires_in": "expiry time of access_token in second", "scope": "string", "refresh_token": "string" } ``` For more information, see [Implementing a Refresh Token Flow](https://developer.atlassian.com/cloud/oauth/getting-started/refresh-tokens/) and [How do I get a new access token, if my access token expires or is revoked? ](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#how-do-i-get-a-new-access-token--if-my-access-token-expires-or-is-revoked-)in Atlassian Developer. # How Amazon Q works with Confluence (Cloud) access and refresh tokens The following are important points to note about using Confluence (Cloud) access and refresh tokens with Amazon Q: + If a Confluence (Cloud) access token-refresh token pair you use to connect to Amazon Q are expired or invalid, the Amazon Q sync process fails. If this happens, you need to generate and provide a new pair of tokens. + If your access token is valid but you have an invalid refresh token, Amazon Q will sync data until the access token expires (up to 1 hour). After the access token expires, you won't be able to re-generate an access token-refresh token pair using the expired refresh token. When both access token and refresh token expire, the Amazon Q Confluence (Cloud) data source connector stops syncing. + If an access token expires during the Confluence (Cloud) connector sync process, the connector internally regenerates a new pair of tokens using the existing refresh token (if the provided refresh token is valid). After regenerating the new pair of tokens, the old pair is invalidated by Confluence (Cloud) and can't be re-used. To sync documents again after the connector auto-regenerates tokens, you must provide a new access token-refresh token pair. + If you use OAuth, select **Rotate secret** if you want Amazon Q to rotate the secret automatically so that you don’t have to manually update the secret every time before you sync. + As a best practice, use Confluence (Cloud) OAuth and the **Rotate secret** feature for the Amazon Q connector. # Checking Confluence (Cloud) connectivity Before you sync your Confluence (Cloud) data source connector after [configuring it](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/confluence-cloud-console.html), we recommend you check the connection between Amazon Q Business and Confluence (Cloud). The following are the cURL commands you need to check Confluence (Cloud) connectivity. **Topics** + [ ## Checking basic authentication connectivity ](#confluence-cloud-connection-check-basic) ## Checking basic authentication connectivity To check connectivity for a Confluence (Cloud) data source connector using basic authentication, use the following cURL command: ``` curl --location 'https:///wiki/rest/api/user/current' --header 'Authorization: Basic ' ``` If your data source is connected as expected, the JSON response should resemble the following: ``` { "type": "known", "accountId": "accountId", "accountType": "atlassian", "email": "email", "publicName": "Administrator", "profilePicture": { "path": "/wiki/aa-avatar/", "width": 48, "height": 48, "isDefault": false }, "displayName": "Administrator", "isExternalCollaborator": false, "_expandable": { "operations": "", "personalSpace": "" }, "_links": { "self": "https:///wiki/rest/api/user?accountId=", "base": "https:///wiki", "context": "/wiki" } } ``` If your Confluence (Cloud) connector is not connected correctly, you will see the following error: + CNF-5123: The profile value is invalid. Try again after sometime. To troubleshoot the issue, check your Confluence (Cloud) URL and make sure it's correct.