Skip to content
An OTA App Distribution System for iOS apps
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
auth Enhance the plugable authentication system Jan 26, 2020
images Improve the icon attribution Jan 19, 2020
styles First version ready for beta testing Jan 19, 2020
templates Tweak images Jan 26, 2020
LICENSE Initial commit Jan 19, 2020 Update the docs with the updated auth system Jan 26, 2020
configuration.default.php Enhance the plugable authentication system Jan 26, 2020
favicon.ico First version ready for beta testing Jan 19, 2020
index.html Tweak images Jan 26, 2020
logo.png First version ready for beta testing Jan 19, 2020
manifest.php Enhance the plugable authentication system Jan 26, 2020


badge-language badge-license

badge-mastodon badge-twitter

badge-sponsors badge-patreon


OTAgo is an OTA app distribution system that allows you and your users to securely install their iOS apps over the air (OTA) using Apple's officially supported method documented here.


  • If you need help, use Stack Overflow (Tag 'otago').
  • If you'd like to ask a general question, use Stack Overflow.
  • If you've found a bug, open an issue.
  • If you have a feature request, open an issue.
  • If you want to contribute, submit a pull request.
  • If you use OTAgo, please Star the project on GitHub


  • HTTPS enabled web server (nginx or Apache recommended)
  • PHP 7.x
  • .ipa file signed with an ad-hoc or enterprise distribution profile

How to Use

Clone the repo into a folder accessible via HTTPS. You must use HTTPS with a valid (not self-signed) SSL/TLS certificate. (I recommend Let's Encrypt).


Copy the file configuration.default.php to configuration.php. You'll configure the system by editing the copy. You should back this file up as it's excluded from the git repository by default.

Configuration variables:

$authFile -> filename of a .php file to handle the authentication (see below).
$webTemplate -> the .html template to be displayed to the user before they install the app.
$installURLPlacehHolder -> a placeholder token for the link that will start the app installation.
$manifestTemplate -> the manifest.plist template used to install the app.
$ipaURLPlacehHolder -> a placeholder token in the above manifest template file where the authenticated URL will be swapped in.
$ipaFile -> the .ipa file signed for distribution.
$baseURL -> During an OTA installation, some files need to be referenced by their full URL. OTAgo uses a default value for the baseURL, however it's not likely going to match your actual URL, so you'll want to set this directly.

The authentication system used may have additional options, examples are in the configuration.default.php file.

The files above do not need to be located in a publicly accessible folder, their contents will be served by the OTAgo scripts.


The $authFile variable above needs to name a file that can be included by the OTAgo scripts. This allows you to sub in different methods of authentication, a simple list of username/passwords, connect to an external database, or use OAuth. Currently OTAgo includes two authentication options:


This effectively removes authentication, and allows anyone to install the app. Of course, iOS will require the .ipa file to be signed with a profile that includes the required device ids, or optionally, an Enterprise certificate.

To disable authentication, set $authFile = 'auth/none/none.php'; in the configuration.php file.

Simple Auth

Simple Auth allows you to create a simple list of username/passwords. Add them to the $users array in the configuration.php file.

There are a two other options you should set:

$simpleAuthTempDirectory: a temporary directory where the authentication system can store access tokens (the web server needs write permission). Our example configuration uses /tmp, but it would be more secure to use a folder that is inaccessible to other users on the system.

$simpleAuthTokenLifetime: the number of seconds a token should be valid. By default we set it to 3600 seconds (1 hour), which should be fine for most cases.

Custom Authentication

If you wish to use another authentication method, you need to create an alternate authFile that includes the following methods:

	function isValidUser()

This takes no parameters and must determine if the current user is valid or not. Return true if they the user is authorized to install the app.

	function queryStringAuthParameters()

This method takes no arguments. It must return an associated array with name/value pairs to be appended to OTAgo URLs. This is how OTAgo will pass the authentication through to the manifest and ipa URLs.

	function requestAuthentication()

This method takes no arguments, and returns no value. It must send whatever is needed to the client to deny access and request authorization. Like the version in the simpleAuth.php file, you can call requestBasicAuthentication() to trigger a BASIC authentication request.


The $webTemplate file needs to be an HTML web page that will be displayed to the user. This can be as simple a single link, or more complicated with details about the app with instructions for the user on how to install it (trusting the Enterprise certificate for example). The template file itself does not need to be in a publicly accessible folder, however any files the page links to, images, stylesheets, etc must be. The $webTemplate file should have at least one link with the href set to the $installURLPlacehHolder ({{InstallURL}} in our demo). That link will start the install process when the user taps it.

The $manifestTemplate file needs to be a valid manifest.plist file (see Apple's documentation for specifics), but instead of specifying the URL for the .ipa file, use the $ipaURLPlacehHolder placeholder ({{IPAURL}} in our demo). The authenticated URL will be substituted into the .plist file before it's sent to the user's device.


OTAgo can only exist with support from the community. There are many ways you can help continue to make it great.

Note: when submitting a pull request, please use lots of small commits verses one huge commit. It makes it much easier to merge in when there are several pull requests that need to be combined for a new version.

Why's the project called OTAgo, and why is a koala involved?

I'm personally very concerned about the planet and the current Climate Emergency we're in. During the time I've been developing this project, there have been massive bushfires in Australia. I wanted to name the project after the situation. There are several places in Australia named Otago which has an obvious link to OTA; it felt like a perfect name. The koala is a reference to the hundreds of thousands of animals killed during the fires.

My thanks to Freepik at for providing the koala used in the OTAgo logo.

You can’t perform that action at this time.