JWT with OTA Updates

Let’s analyze the popular scenario for using JWTs to identify the OTA Updates clients who want to receive updates of software on their devices.

To receive software updates, you need to provide a JWT in a header or a query parameter of your request. When building the token, you can include IoT-supported registered claims and custom information. You then sign the token with a private RSA key. Signed JWTs act as temporary user credentials and allow you to receive software updates until the specified expiration time. See IoT-supported registered claims.

A JWT with an expiry date

Note: The private RSA or ECDSA key you use to sign the JWT must be a digital match for the public key you upload to a key collection in the Token Access Control application and refer to in your property configuration. Also, allow the use of your signing algorithm in the JWT behavior. See Signing algorithms.

Now, let’s analyze how this sample IoT OTA Updates property configuration tells the Akamai platform to search for and process JWTs in requests. Here, it directs edge servers to check the X-JWT-Location request header for tokens and use the public keys stored in the OTAUpdatesKeySet key collection to authenticate clients by checking the validity of their JWT signatures.

JWT Verification behavior in the OTA Updates property

Once the edge server extracts the JWT from the request and validates the client’s identity and present claims, it permits the client to download the requested file with software updates.