Hi @MaciejStanuch,
wondering if this endpoint can be used by the app to check on a user’s permission. We have the user’s account id, the project etc …
Background:
We want to set dynamic webhooks (this can only be done by the app and not from the client via AP.request). A project admin initiates the request via a custom project settings page. To be secure we need to check the user’s permissions from within the app to be PROJECT_ADMIN before setting webhooks - see here for more detail. If this check is not performed, anyone with a valid JWT could craft a request to change this setting.
Any guuidance is much appreciated 
Hi @izymesdev,
yes, I think you can. You need to make a request similar to the dynamic webhook one, it has to be made by the app with valid JWT.
Here’s a documentation for this endpoint: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permissions/#api-rest-api-3-permissions-get
As you may see, the required Connect scope is READ, so if your app has READ or ADMIN scope it should be possible to just make a request from the app. Take a note that in your case you will probably need ADMIN scope anyways to be able to check other users permissions.
Example request for your use case:
{
"accountId": "5b10a2844c20165700ede21g",
"projectPermissions": [
{
"projects": [
10001
],
"permissions": [
"ADMINISTER_PROJECTS"
]
}
]
}