After some investigation, it seems that it is indeed possible to impersonate a user using the API. I came across a helpful response from Martin Cassidy on the Atlassian forum, which I have slightly edited for spelling:
To impersonate a user, you need to follow these steps:
- Create a public-private key pair
- Configure the trusted application in Jira GUI, enabling the 2-legged OAuth option
- Send requests as usual (do not worry about request tokens and access tokens, but include the following parameters in the query string of your request):
- oauth_consumer_key - the name of your consumer set in the trusted application setup through Jira GUI
- oauth_token - leave empty
- oauth_signature_method - RSA-SHA1 is the only method supported by Jira
- oauth_signature - generate the signature for your request using your private key. For Java users, consider using the net.oauth classes as shown in the Jira OAuth example ()
- oauth_timestamp - this can be generated automatically with net.oauth
- oauth_nonce - also generate automatically as above
- user_id - optional. If specified, Jira will execute the RESTful request as the specified user. If not provided, Jira will use the user specified in the trusted application configuration.
It is worth noting that Martin's explanation is geared towards Java clients using Jersey. The same can be achieved with JavaScript, but be cautious as it may expose the private access token to Confluence, allowing unauthorized individuals to make requests on behalf of your application. It is recommended to handle this securely on the server-side to protect the API key.