App JWT tokens in user-impersonated plug-ins

We are migrating our static macro for Confluence Cloud from App impersonation (generating JWT tokens and sending it with the query) to User impersonation (requesting security token from Atlassian auth server and sending it along with our requests to Atlassian apps).
The questions are:

  1. Should we send old JWT tokens along with new security tokens or if we send security tokens, App JWT tokens are not used any more?
  2. If we should not send JWT tokens, how QSH, which helps to avoid query string parameters tampering, is sent?