The mistake I made was to implement this route:
// DO NOT USE THIS, BAD CODE
app.post('/installed', addon.authenticate(), async function(req: any, res: any) {
console.log(req.body)
//do something own after installation, nope this is not good!
res.sendStatus(200);
})
This does apparently break the first authentication between Jira and the add-on. I did not notice this break, because my dev add-on was already registered with Jira and the authentication was using and entry from a sqlLite file database that was saved before the breaking change. So I did not understand why it “suddenly” broke, because the mistake was made one month back.