Great question.
It's important to understand how HipChat works with add-on authentication. You're probably used to a global consumer/oauth ID/secret that you register when you want to obtain an OAuth token. In HipChat, there's no notion of a global consumer/oauth client. Instead, each installation of an add-on (per room or group level acct) is treated as a "tenant" (aka, an oauth consumer). In HipChat, each oauth consumer gets it's own id/secret pair. During the add-on install phase, you'll receive one of these id/secret pairs. You need to persist this pair to your database using the oauth id as your key.
Re: the JWT token... when your add-on needs to validate a JWT token, you first need to decode the claims without a secret (using your JWT library) – doing that will expose the oauth ID you need to look up the tenant in your database (this is stored in the `iss` claim). Once you've obtained the `iss`, look up the tenant in your database then retrieve the secret. You can now use this secret to decode and verify the signed JWT token which will expose all the other context information in the token.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.