About doc: Your app should use this token to check the validity of the token.
How to validate the token without making API call?
The first thing before processing the request should be to check the validity of the token, but do I need to make an API call to do this?
There should be some comparison method, because it is not nice to bombard the Stride API for any successfully decoded token, even if it is not generated by Stride.
I inspected the sample code (https://bitbucket.org/atlassian/stride-apps-reference/src/be42f690efe6ac50da4c15b77bc80c29340e95d1/reference/middleware/mw.js?at=master&fileviewer=file-view-default#mw.js-74) it extracts the context but not really checking any security.