JSON web token is an open standard RFC 7519 that defines a compact and self-contained method for securely transmitting JSON-encoded information between parties. At Akamai, you can use JWTs to quickly identify and authorize OTA Updates and Edge Connect clients who send requests to origin servers.
A JWT contains information about an entity in the form of claims and combines three elements encapsulated in JSON objects:
Header. Contains information about the media type of the JWT and the hashing algorithm used for encoding the JWT.
Payload. Contains the actual statements represented as public claims that two parties exchange. Currently, the IoT products support the use of pre-defined registered and private claims. For more information, see IoT-supported registered claims.
Signature. Ensures the proper identification of the request sender and protects the request from being tampered with. Note that the IoT products support verifying JWT signatures generated with the RS256 and ES256 signing algorithms. For more information, see Keys and JWT signing algorithms.
JWTs are stateless, which means that incoming JWT requests can be validated on the spot. You don't have to store session states on the server and load user information from a database or cache. This immediate validation increases the scalability of your system and provides an overall faster client-server experience.
Akamai verifies JWT signatures at the edge, which negates the need to go back to origin for verification and offloads your identity provider. This behavior also contributes to improved security by allowing edge servers to filter out unauthorized requests before they can reach your origin infrastructure.
The IoT products support the use of RSA or ECDSA private and public key pairs for JWT signature verification. This ensures the data in the JWT payload hasn't been modified by third parties. You first sign a JWT by using a private key. The IoT products then verify the integrity of the JWT by using one of the public keys that you upload through the Token Access Control API.
Based on your JWT claim configuration, the IoT products check the token for the presence of claims and validate the value of each present claim. If the optional claims are present and their expected values are correct, JWT validation succeeds and the system allows the entity issuing the JWT to access the requested resources.