Possible to add Authorization layer for REST APIs exposed by Connect server?

I’m honestly a bit baffled but I hope I’m misunderstanding. It doesn’t seem like Jira Cloud gives addon builders the ability to add authorization to REST endpoints exposed by their Connect servers without the ACT_AS_USER scope.

This seems to be the case because there is no API to fetch global permissions or any custom permissions for a user without requesting the permissions as the user. This obviously means you end up having to add ACT_AS_USER, which is frustrating when you’re only using it to fetch permissions.

I’ve got a few suggestions about how to possibly work around this but they don’t sound ideal either.

  1. Pass through the permissions to the front end using context parameters and validating the request on the backend but all that means is that the request wasn’t tampered with. So if I understand correctly, it wouldn’t actually stop someone from just sending a valid request from the Connect iframe and saying they have escalated permissions. So this just ends up feeling like security through obscurity.

  2. Use groups to define who has permission, but this obviously adds overhead for us where we’re now handling permissions separately from Jira and we have to expose a UI or just document this. This also feels like mental overhead for Jira admins as opposed to just adding a global permission to a group. And it almost feels circular where we can’t really add authorization to an endpoint to define which groups have authorization unless you take the previous approach.

If I’m missing something or if you use another approach, that would be great to know.