As per Understanding JWT for Connect apps, the Jira and Confluence APIs today allow Connect apps to provide authentication JWTs as either an
Authorization: JWT header in requests, or as a
?jwt= query string parameter.
Following this deprecation period, Atlassian APIs will no longer accept Connect app JWTs as a query string parameter. This change does not affect how Jira or Confluence provides the Atlassian product JWTs to Connect app modules/iframes.
Accepting sensitive JWTs as a query string parameter presents a problem as the query string is often saved in web browser history, passed through Referers to other web sites, stored in web logs such as intermediate proxy servers.
If your app provides its Connect JWT to the Atlassian APIs as a query string parameter, you must update it to pass the JWT via an
Authorization: JWT header.
?jwt= query string support from the Jira and Confluence APIs by Feb 1, 2022. After this date, the Atlassian Jira and Confluence APIs will no longer inspect the
?jwt= query string parameter and requests from your app may fail with a HTTP 401 response.