Decoding yields this claims set:
{
"iss": "74a461e6-27e4-35af-a159-2ac40a0cb686",
"sub": "5cdae9b3254e450fd8d21090",
"qsh": "4570fca97261dfb49210390ab2cfebb5d193bdc4f0ff9f19439a37124470f313",
"iat": 1623246980,
"exp": 1623247880
}
We’ve just confirmed the qsh claim. And for the others you explained:
iss => which i set to clientKey
sub => which is the users accountId
iat => current unix timestamp
exp => current unix timestamp + 15 min
The only suspect remaining seems to be sub. Can you try removing it? If you need the attachment to be uploaded “as the user”, then I think you’ll need to use:
https://developer.atlassian.com/cloud/jira/platform/user-impersonation-for-connect-apps/