Once the IoT device is operational the IoT device first identifies and authenticates itself to the identity provider (IdP). Upon successful validation, the IdP issues an access token to the IoT device.

Identitfy & Authenticate

For an IoT device to identify and authenticate itself, it needs to provide a so-called private key JSON Web Token (JWT). A private key JWT is a base64 encoded JSON object that is composed of three main parts, a header, a payload, and a signature.

The header and the payload contain information to identify the device and protect the JWT from replay attacks. The signature is generated using the private key that corresponds to the registered public key of the device, ensuring the integrity of the token and allowing the IdP to authenticate the device. Here is an example of what a private key JWT may look like:


Issue Token

Upon successful validation of the private key JWT provided by the IoT device, the IdP issues an access token (AT) to the device. The access token is a so-called opaque token, which is basically a ~100-byte long random string that only the IdP that has issued the AT can verify. Here is an example of what an AT may look like:


The access token contains several claims such as the device ID, the requested scope, the issuer of the token, and has an application-specific lifetime. The AT must be securely stored and may be used to authenticate the IoT device against any protected API.

Last updated