Good point! There’s a new API that went out for Confluence last week: New Download attachment REST API endpoint
For the existing API, the recommended approach is:
- If your app server needs the attachment, specify the JWT via header; or
- If the end user needs the attachment, rely on session authentication. E.g. redirect them to
https://<site>.atlassian.net/secure/attachments/...if they’re logged in, the attachment will download.