When Confluence builds the URL of an addon’s iframe, it authenticates it with a JWT token, which contains various values including the QSH (=basically a hash of the current URL). The purpose is to prevent the user from building an URL themselves.
But when we want to call REST APIs of our product, Atlassian recommends that we use
AP.context.getToken(), which returns a JWT with no QSH, hence valid for any URL. They explain it on the “Cacheable iframe” doc, for example.
Why is it secure? Doesn’t it mean that user can build a fake URL to an iframe, use the getToken() to authenticate it, bypassing the QSH issue?