Addon.authenticate vs addon.checkValidToken - differences? when to use which?

Possibly a noob question, but I’m checking my code and noticed that I use


in almost all backend entries (both the ones that are requested by Jira and the ones that I fetch from front end). Only for uninstall I use addon.authenticateInstall() as is done here: Bitbucket
But also on the same page there is


used/recommended in the “How to send a signed HTTP request from the iframe back to the add-on service” section.

I’ve tried to search what are the differences between the two function and I still don’t know :frowning:

Anyone could explain differences between authenticate and checkValidToken functions or point to a page where it is described?
Maybe some guidance when to use which.

Checking the source code it looks like both of the methods do the same. The only difference is that checkValidToken additionally checks if AC_OPTS environment variable is set to no-token-verfication and if it is, then authentication is not performed.

Make sure you use addon.authenticate() (i.e. without true) for backend calls from Jira.

1 Like

Thanks, that’s very useful and already implemented.

I’m assuming the same is for getting the atlassian-connect.json from backend, so it should be:

app.get('/', addon.authenticate(), (req, res) => {

and the addon.authenticateInstall() method should not be used there?

@ZbigniewPiecuch atlassian-connect.json should be available without authentication I believe.

Yes, ultimately I have that way.
Thanks again.