Using JWT to auth REST API calls

I’m building an app using Elixir so I’ve written the code to build a query_string_hash and jwt. Along the way I’ve been comparing against atlassian-jwt - npm and am now consistently generating matching results for both jwt.createQueryStringHash and jwt.encodeSymmetric.

When I make a request like the following I’m getting a 401 (actual generated jwt).

curl -X GET "" \

The clientKey (iss) and sharedSecret (signing key) and baseUrl were taken from the app installed lifecycle callback.

I’ve added the read scope to atlassian-connect.json and done a fresh install of the app to ensure that the scopes are up to date.

I’d appreciate some help here, I’m not sure what I’m missing.


I’m not sure about that iss. From my instance, I get a similar looking clientKey, but mine is prefixed with jira:.

clientKeys actually come in all shapes and forms, it depends on when the app was first installed. There have been at least 3 generations of them if not more over the years.

1 Like

Hey @ibuchanan thanks for the suggestion. I did save the whole payload from the post install hook and it doesn’t include a jira prefix in the clientKey. I tried it anyway just in case but I’m still getting the 401.

atlassian-connect-express proved to be a useful reference here. I discovered the jwt claims need to be

import descriptor from './atlassian-connect.json';
import jwt from 'atlassian-jwt';

const infoFromAppInstalledCallback = {...};

const req: jwt.Request = jwt.fromMethodAndUrl('GET', '/rest/resource/you/want');

const jwt_claims = {
  "aud": [
  "exp": 1682584738,
  "iat": 1682581138,
  "iss": descriptor.key,
  "qsh": jwt.createQueryStringHash(req)