How to verify that a Forge remote has received a request from an authenticated user in a specific Jira instance?

Hi folks! I’m building an internal Forge application at work, so that we can augment our Jira issues with some data about our business context as part of a custom field. The data is exposed through an API service that we control.

Here’s the workflow that I want to implement:

1. User loads a Jira issue in our production instance.
2. As the issue loads, the Forge app executes when the custom field is rendered.
3. The Forge app accesses our API through a Forge remote.
4. Our API verifies that the request from the Forge app is from an authenticated user in our production Jira instance.
5. If so, returns the data. If not, returns an error.

I want to understand how can step (4) be achieved. The Forge app is only installed in our production Jira instance, so I want the API to be able to confirm that by using the Jira user’s authentication when they load the issue.

Welcome to the Atlassian developer community @FernandoMartinez,

Your 4th step is handled by a Forge Invocation Token (FIT), which also explains how to validate the token. Right now, your Forge Remote could not receive a FIT without a user (as the principle claim in JWT); it’s simply part of the FIT contract.

However, if you wanted to implement authorization instead of just authentication, your Forge Remote could perform additional checks using the FIT, like maybe checking, “Is the principal in the admin group?” That’s code you’d have to write in the validation function.