JSON Web Tokens (JWTs) are used by the SAS Portal API in two ways:
- To aid with CPI identity validation.
- To allow non-CPIs to help install CBSDs that require CPI installation.
During CPI identity validation, the CPI is asked to create a JWT from a secret generated by the SAS Portal API. In this case, the CPI uses their private key to create the JWT.
Alternatively, non-CPIs may use the SAS Portal API to create a device configuration from a JWT created by a CPI. In this case, the JWT contains CBSD registration parameters and the CPI uses their private key to create the JWT.
The JSON Web Signature (JWS) standard is defined in RFC 7515, and the SAS Portal API supports the ES256 and RS256 signature algorithms.