Validate CPI identity

According to the WInnForum requirements, certain Citizens Broadband Radio Service Devices (CBSDs) require that a Certified Professional Installer (CPI) validate the installation parameters before they are sent to Spectrum Access System (SAS).

CPI identity validation flow
CPI identity validation flow (click to enlarge)

In the Google SAS Portal API, validate that a given user has a valid CPI certification before they call the SignDevice() method. You can validate a user's CPI certification by using the following validation method:

  1. Make sure that the user is signed in with their Google Account, and the traffic uses HTTPS.
  2. A role_cpi user calls the GenerateSecret() method, which returns a secret in the form of a token.
  3. The user then signs the secret with their private key and uses the ValidateInstaller() method to send the encoded version back as a JSON Web Token (JWT), along with their CPI ID and the original secret. For more details about token creation, see JSON Web Token format.

The CPI role permissions become effective only after a user with the role_cpi role successfully completes the CPI validation flow.

What's next