It really depends what you are trying to achieve. Confluence passes a
jwt query parameter to the iframes of your modules (more info about JWT). You can send this JWT along with the requests to your backend. The JWT expires after a while, if you want to make a request some time after the iframe has loaded, you can generate a new JWT using
On the server side, you can decode and verify the token. The ID of the logged in user is stored in the
sub property of the JWT. To decode and verify the token, Atlassian provides a library called atlassian-jwt-js. Personally, I often run into problems with Atlassian libraries and find them to be coded in a rather unusual way, so I rather use a generic JWT library like jsonwebtoken.
You have to verify the JWTs against the
sharedSecret that you received with the
installed lifecycle event for that particular Confluence instance (the
iss property of the JWT contains the
clientKey, which you can use to look up the particular instance in your database where you persist the lifecycle payload).
You should make sure that you really understand the way JWTs work before going live with such an authentication mechanism.