I generated a JWT token using the shared secret that was provided after registering my app in Jira Connect but getting back HTTP 401 on requests I make. Also I receive back HTML content in the response even though I specified application/json. This happens if I specify JWT <my jwt token> in the authorization header. If I specify Bearer instead of JWT then I get back JSON message "Client must be authenticated to access this resource." but still a 401.

I don't know what I am missing.

I was missing the query string hash (QSH) but still having the same problem. It would be nice to know what is wrong when developing instead of just receiving a 401.

You won't get more info on 401 as providing more info on what exactly is wrong would be a security flaw.

What language are you using on your server? I know that there are packages for a few languages, try searching for your required language. 

Node.js - https://www.npmjs.com/package/atlassian-connect-express

Python - https://bitbucket.org/atlassian/atlassian-jwt-py?_ga=2.116449987.458870543.1539531922-190871020.1538306682

Using .net. There is already a developer mode in Jira for installing connector that are not on the market place. It would be therefore possible to provide more information in this context.

There could be something that is wrong when I generate the QSH or something wrong with the JWT itself. I am using Microsoft classes to generate the jwt token.

The way I am using jwt is adding it via query string at the end of rest request (?jwt=) and it works fine.

This link describes the detailed way of creating jwt - you need to create query string hash (using request method, original URL and query string), then create token itself using query string hash, addon key, and iat/exp dates.

https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/

https://developer.atlassian.com/blog/2015/01/understanding-jwt/

I also see that Atlassian recommends using this package for .net - https://github.com/johnsheehan/jwt

I have also found this - https://bitbucket.org/atlassianlabs/atlassian-connect-.net

Finally found the issues with my code.

1) Was not using UTC time.

2) Was not setting "iat" claim. The MS library is not setting it automatically.

I am passing "Jwt {jwt token}" in the Authorization header and it works fine.

It seems to be much less trouble using POST instead of GET because I don't have to deal with the QSH. The doc does mention about integrating POST data in the computation of QSH but I don't and it is working. Perhaps it is meant only for x-www-form-urlencoded??

In parallel, I developed a OAuth 2LO which is working fine. I don't have to deal with QSH when using OAuth but I need to use impersonation in order to make requests.

Thanks all for your help and support.