With Connect user impersonation it was possible for apps to impersonate users who hasn't yet verified their email address. (https://developer.atlassian.com/cloud/jira/platform/user-impersonation-for-connect-apps/)

However, with Forge offline impersonation, the API call fails with 401 Unauthorized in this scenario.

This difference in behaviour causes issues with DC to cloud migration where users need to log-in first and validate their email before the offline impersonation can work.

Workaround

With managed accounts, it's possible to call update email API

curl --location --request PUT 'https://api.atlassian.com/users/${accoundId}/manage/email' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer bearer_token' \
--data-raw '{
  "email": "email@example.com"
}'

This API automatically marks the new email address as verified and offline forge user impersonation will then work. You may need to call the API twice,

• first call to change the email address to something like email_temp@example.com
• then, change back to original email@example.com