I think something like generating a JWT token using the Javacsript API (AP.context.getToken()) on the Jira side page and then sending it to your API (that would have to verify it) could work.
Indeed, I just found this post that seems to perfectly describe the same use-case: