I have made an atlassian connect application for Bitbucket and I have implemented JWT token validation, but there's a problem.
The payload I get when someone installs the app for the first time on their account simply lacks Authorization header and thus JWT token. Unlike what the documentation claims, this header is absent not just on first installation globally but on every first installation for each account.
The question is, how do I verify these installed events? When using a registered app I know the shared secret from my console, and I can check if shared secret given in the payload matches the one in my configuration. But if comparing shared secrets is sufficient for validation, why the whole process with JWT and qsh claim? The install hook request lacks a JWT token and thus it doesn't have any protections at all, it seems.
I do not know what is the general idea here.
