When you are building a cloud add-on then you can handle authentication without bothering admins (they don't need to copy anything).
To integrate yourself with Jira UI you need to create a webpanel or page, in both cases, Jira will ask your site to render the HTML code and the request will include JWT token. Inside you will have information about which user did the request.
Now, you can authenticate Jira users to your API in several ways:
- render a time-limited token to the HTML and use it to authenticate calls to your API. As a downside of this solution, if someone will keep the page open without reloading for long enough (longer than your time limit) the token will become invalid.
- provide a resource to retrieve time-limited token (validate JWT signature provided by Jira to be sure request really comes from particular Jira instance) and retrieve the token every time before doing the request (or every N minutes depending on your time limit).
- or if you really want to bother admins then create a configuration page and let them save API keys by hand (I assume they will have to retrieve those keys from you somehow, this additional step may discourage many admins), in this configuration page you will include JS code that on submit will save API keys as Application property and later you will have to retrieve this before making requests to your API. With this approach however, admins will not be able to restrict access to your API to a subset of users with Jira permissions (every logged in user can access application properties, in open instances even anonymous users).
If you are unsure how to validate JWT Token you can read this developer guide. Also, you can make your life easier by using one of the provided framework and tools, for example, atlassian-connect-spring-boot will take care of installation handshake, JWT authentication and authentication to Jira REST API from your server.
