Maybe the question is lame, but I haven’t find the answer yet. So I understand that the preferred way for authentication between confluence and the add-on server is JWT. But what if I’d like to write an add-on that serves only html pages with some javascript, and all the communication happens with AP.request?
It seems in this case - at least in developer mode - everything works fine if I set authentication type to “none”.
So my question is: What are the drawbacks of using no authentication? Does it affect payed apps?
I cannot think of any drawback. In fact, I would say that it is highly recommended to use none if you can, as it will prevent you from (accidentally) storing any credentials that give access to the customer instance. If you set the authentication to JWT, you will get a sharedSecret which, when leaked, can be used by attackers to generate & sign a JWT with the full scope of your app to access information from the customer instance as the app user.
I agree with Remie, but you should be aware of this Confluence issue related to searching for users (user search returns 0 users, not sure if it has been fixed or not):
In order to work around this issue, we were forced to add authentication to a few of our apps, even though they would not have required it otherwise. Other than that, no major drawbacks, and it does not affect paid apps.