No, I think that isn’t the use case.
I believe @Berkayztrk is already sending the jwt while making the request, via the hbs rendered one or calling the AP.context.getToken().
Most of the apps are already using addon.checkValidToken() or similar to validate incoming requests. But there are some apps that need to make extra validations in order to perform some actions.
For example, if an app has configurations on Project Settings or Jira Apps Administration, only Jira Administrators or Project Administrators should be able to update them.
This is useful for preventing Broken Access Control vulnerabilities and I think it’s pretty common in most of Apps on the Atlassian Marketplace.
In our case, we’ve created a middleware that requests user permissions to Jira and only performs changes if the user is authorized to do it.
One solution would have some new middlewares on the atlassian-connect-express - addon.checkAdmin() where it would verify if the token is valid and the user is admin. I understand there are plenty of cases for it and making ace middlewares for this isn’t feasible.
I think a lot of apps should implement this and would be great if we could gather a general solution for this - like I said, we are using the /rest/api/3/permissions/check endpoint in almost every requests.