We have an app that fetches a list of Jira projects via OAuth 2 (3LO) from REST API v2 ( via GET /rest/api/2/project/search) and renders them in a third-party application.
project.avatarUrls["24x24"] from the result to render the project avatars. Strangely, for Jira built-in avatars this works without any issues, however, for projects with custom avatars (image uploaded by us) the URLs return 403.
URLs look like this:
Does anyone have an idea how to fix this? It seems custom avatars are not made publicly accessible.