JWT (JSON Web Token)

JWT is a compact, URL-safe means of representing claims to be transferred between two parties, commonly used for authentication and secure information exchange.

What to Know

JWTs enable stateless authentication where servers don’t need to maintain session databases, improving scalability for distributed systems. The token itself contains encoded claims (user identity, permissions, expiration time) that can be verified cryptographically without database lookups. This makes JWTs ideal for API authentication in modern MDM platforms, where admins and automation scripts need secure, revocable access to management functions. JWTs support fine-grained authorization by embedding role and permission claims that servers can validate before processing requests.

JWTs are also critical for integrations with Apple services. App Store Connect API access requires JWT-based authentication, and many enterprise SSO implementations use JWTs as part of OpenID Connect flows. The self-contained nature of JWTs means they can be validated offline, enabling edge cases like offline API access or distributed service architectures where not all components have direct database access.

Common Scenarios

Enterprise IT: IT admins receive JWTs when authenticating to MDM APIs, which are then included in API requests as Bearer tokens in the Authorization header. These tokens typically expire after hours or days, requiring periodic re-authentication. IT must securely store JWT secrets used to sign tokens and rotate them periodically to maintain security. Custom integrations should validate JWT expiration and handle token refresh flows to avoid authentication failures during long-running automation jobs.

MSP: MSPs building multi-tenant management platforms use JWTs to securely authenticate API calls across client accounts, with token claims identifying which client context is being accessed. MSPs must implement JWT validation in custom tools to prevent token tampering or replay attacks. Service accounts used for automation should have dedicated JWT credentials with scoped permissions limiting potential damage from credential compromise. Token expiration policies should balance security (shorter lifetimes) with operational convenience (fewer re-authentication interruptions).

Education: Educational institutions integrating MDM with student information systems or identity providers encounter JWTs as part of OAuth/OpenID Connect authentication flows. School IT staff building custom roster sync scripts must understand how to obtain and refresh JWTs when calling MDM APIs. JWT-based authentication simplifies automation by eliminating password management for service accounts, but requires secure storage of signing keys or client secrets used to generate tokens.

In Addigy

Addigy’s API uses a combination of client ID and client secret credentials that follow industry-standard OAuth-like patterns, with some endpoints supporting JWT-based authentication mechanisms. Administrators generate API credentials through the Addigy console and use them to authenticate API requests. Addigy handles token generation and validation internally, abstracting the complexity of JWT management from admins.

For integrations requiring webhook verification, Addigy can sign webhook payloads allowing recipients to verify authenticity. When building custom integrations with Addigy’s API, developers should implement proper credential rotation procedures and store API secrets securely using secrets management tools rather than hardcoding them in scripts. Addigy’s API documentation provides guidance on authentication flows and credential lifecycle management.