QSH and JWT for JIRA connect plugin

Been struggling with this for quite a while. My first plugin is working nicely, but I have been ignoring the qsh values. Now looking to tighten security so I want to verify the qsh and signature of the jwt token.

Struggling to recreate the qsh of the call by the Atlassian server:

My server tells me that atlassian appends fields as follows:


I decode the jwt and get a nice object with a qsh value. But when I try to recreate the qsh using the url above I get a different value for qsh.

Am using a standard recommended library. Any tips would be most gratefully received.

@colin.hammond - which library are you using? There is the Node.js library here that helps you to create & decode JWT tokens.

1 Like

I am using the PHP Firebase library.

For recreating qsh, did you reorder the query parameters based on their percent-encoded names? In the Understanding JWT for Connect apps documentation, kindly navigate to Creating a query string hash section for a detailed instruction on how to generate qsh. I missed this part when I was starting out, might be the same case you’re experiencing.


Many thanks for that suggestion Iragudo,

I also use a QSH library from here

that does the sorting when it creates the QSH, so I don’t think that is the problem.


When Atlassian calculates the qsh to send, does it include all of the above query parameters?

Can anyone help me answer this question?

I have asked the question on this forum. I have contacted Atlassian to see if I can pay to get the answer. I have contacted five Atlassian premium partners in the UK. I there anybody out there who has built a JIRA connect app who is prepared to help me for a few hours? Happy to pay for your time.