We’ve been stuck on this for a while and can’t seem to find a way forward, so hoping someone here has run into the same thing.
We’re building a Forge app for JSM that displays assets. Everything works fine except for custom avatars — when an asset has a user-uploaded avatar, the Atlaskit Avatar component fails to load it and the browser throws a 401.
The weird part is that if we take that exact same URL and hit it with curl using a token, the image comes back just fine:
curl -u ``user@example.com``:<API_TOKEN>
"``https://api.atlassian.com/jsm/assets/workspace/workspaceId/v1/object/assetId/avatar_16.png``"
So the URL is correct and the resource is there — it seems like when the tag inside the component makes the request from Forge’s iframe, it doesn’t carry any auth headers and Atlassian rejects it.
We’re using it like this:
<Avatar
src={asset.avatarUrl}
name={asset.name}
size="medium"
/>
Default/system avatars load without any issues — it’s only the custom ones that break.
We’ve already tried using different permission scopes in the manifest.
Our guess is that we need to proxy the image through a Forge Function to attach the token, but before going down that road we wanted to check:
— Is there a native/supported way to render these avatars from the Forge UI?
— Is this a known limitation of Forge’s sandboxed iframe with auth-protected resources?
— Has anyone solved this a different way without going the proxy route?
Environment
Platform: Jira Service Management (Cloud)
Framework: Forge (Custom UI)
Component: @atlaskit/avatar
Feature: Assets / Insight
Thanks in advance 