What is the recommended authentication mechanism for Atlassian Connect apps making API calls on behalf the of user? When would you use JWT vs Access Tokens?
JWT Bearer token authorization grant type for OAuth 2.0, also known as two-legged OAuth with impersonation (2LOi), can only be used in Connect apps. OAuth 2.0 authorization code grants, also known as three-legged OAuth (3LO), can be used in any apps or integrations.
In your case, either way is fine. Each of them have own benefits. To understand more, we have some sample apps on both of them: Bitbucket Cloud JWT Grant Sample App and Bitbucket Cloud Authorization Code Grant Sample App.