"Authentication for apps" documentation on install and JWT is confusing (doesn't match install payload and headers)

The Auth for Apps documentation mentions that the first install should not include a JWT:

First install	None; no JWT token. Because there was no previous shared secret the recipient cannot validate a JWT token. This means that you should anticipate that there will be no Authorization header present.

However, in practice, we’ve seen a request that includes a JWT.

In this case, we’ve installed/uninstalled this application several times during testing. Could that be why we see a JWT come in the install payload?

Yes. If you’ve previously installed the app and then uninstall and the reinstall it - there will be a secret that can be used to sign a jwt token. If there is a jwt token passed on the install call - you should try to respect it (one more thing to make the app secure).

1 Like