We are developing a BitBucket app and found out that in the PostInstallRedirect we also get the JWT as part of the querystring and we think this is a potential security issue, furthermore - we don’t use it as we already authenticate the jwt in the installation webhook.
Is there a way to remove it or at least move it to the header?