Send a request from an iframe is receiving a 401

I’m attempting to follow the example described here: Bitbucket

The ajax request is being sent to my add on successfully, however it always gets a 401. After a little debugging I’ve discovered this is because of the following error “com.atlassian.connect.spring.internal.jwt.JwtInvalidClaimException: Expecting claim ‘qsh’ to have value ‘e3058de8476897ecb7d2f926080bed3007a978d997083949f57d93f5076734df’ but instead it has the value ‘context-qsh’” (found in com.atlassian.connect.spring.internal.auth.RequireAuthenticationHandlerInterceptor)

Not sure what I’m missing, I’ve followed all the steps in the documentation, I can see from the web inspector that the request is being sent with the token derived from the meta tag.

I don’t really want to have to turn off the authorisation with IgnoreJwt (although I have for now to enable me to continue working)

@MartinCassidy Please have a look here: Action required: Atlassian Connect vulnerability allows bypass of app qsh verification via context JWTs . It seems like you need to change your authorization check.

Perfect, thanks!