Is there a public jwk I can use to validate the JWT on the install lifecycle event? How do I know it actually came from Atlassian? I’m saving state to my datastore whenever this event occurs to record the sharedSecret and other information but if the address for this webhook were discovered someone could bombard it with fake data because I don’t see a way to validate it. How do I protect this webhook listener?
There was a discussion about Securing install endpoint on first call but I would be careful about locking down by IP address since you’ll want to make sure you’re up for maintaining the list.
Best thing is to always validate against the sharedSecret from the previous installation and then always validate things against it ( see Signed installation callback requests at https://developer.atlassian.com/cloud/jira/platform/security-for-connect-apps/ ).