Validation of CPI identity

According to the WInnForum requirements, certain CBSDs require that a Certified Professional Installer (CPI) validates the installation parameters before they are sent to the SAS.

CPI identity validation flow
Figure 1. CPI identity validation flow

In the SAS Portal API, we need to validate that a given user has a valid CPI certification before they can call the SignDevice() method. We achieve this with the following two-step validation method:

  1. A user with the role_cpi role calls the GenerateSecret() method, which returns a secret.
  2. The user signs the secret with their private key and uses the ValidateInstaller() method to send the encoded version back as a JWT, along with their CPI ID and the original secret. For more details about token creation, see JSON Web Token format.

The CPI role privileges become effective only after a user with the role_cpi role successfully completes the CPI validation flow.