--- title: Supplying an install verification token framework: marketplacekit role: article role_heading: Article path: marketplacekit/supplying-an-install-verification-token --- # Supplying an install verification token Support the installation of alternative distribution apps by creating signed JSON web tokens. ## Overview Overview To enable app downloads from your website or alternative app marketplace using MarketplaceKit, your web server supplies a special secure element, or install verification token, to the device’s operating system through the app installation process. An install verification token is a JSON web signature (JWS), or signed JSON web token (JWT). The token contains data that the system needs to verify the installation, such as the marketplace that installs it, if applicable, and the time the installation occurs. Create the token and sign it with your alternative distribution key set up with App Store Connect. For more information about JWTs, see RFC 7519. The following app download situations require you to create an install verification token: MarketplaceKitURIScheme requests on webpages that distribute an app; see Installing your app from your website. AppLibrary methods that install apps from within a marketplace app, for example, requestAppInstallation(for:account:installVerificationToken:). ActionButton, through an LAContext; see Installing apps from an alternative marketplace. Create the JSON web token To create the JWT, define a JWT header and provide key details in the payload. Use the following table to complete the header details: | | | | Next, define the JWT payload. Among the data to include are the issuer, bundle ID, expiration time, and nonce. Use the following table to fill in the payload: | | | | | | | | | | An example JWT follows: { "alg": "ES256", "kid": "52c5cb04-1163-4a30-ad4f-a3433cd6a4f6", "typ": "JWT" } { "iss": "1234123412", "iat": 1623085200, "exp": 1623086400, "aud": "AppleDownloadVerification-v1", "bid": "com.example.mytestapp", "dtype" : "download", "nonce": "9BC2C5CC-A1F8-4F93-9D6A-4D524685B67E" } For sample code and open source tools that assist with JWT creation, see JWT.io. Sign the token and return it in response To sign the token, use: Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm. Your alternative distribution private key. For more information about the alternative distribution keys, see Creating keys and establishing alternative marketplace connections. You can call an installation function either within an alternative app marketplace, or a webpage. Either way, your web server fields the JWT request by generating a token, signing it, and returning it to the call site. ## See Also ### Web services - [Processing alternative app marketplace notifications](marketplacekit/processing-alternative-marketplace-notifications.md) - [Ingesting an alternative distribution package](marketplacekit/ingesting-an-alternative-distribution-package.md) - [Installing your app from your website](marketplacekit/installing-your-app-from-your-website.md) - [Installing apps from an alternative marketplace](marketplacekit/installing-apps-from-an-alternative-marketplace.md)