MQTT/HTTP Token Authentication

Written by Andrew Pasika

Overview

The Kaa IoT platform supports token-based authentication for device-to-platform communication for MQTT and HTTP transports.
Each device is issued a unique token that serves as a credential for authenticating with the Kaa IoT platform.
This approach provides a simple yet secure way of device authentication.

Token-based authentication is always enabled and serves both for authentication and identification of the device by the platform.
Throughout Kaa documentation, this token is usually referred to as the endpoint token.

The token value can be either auto-generated by the platform or manually specified during device provisioning.

Token generation on endpoint provisioning

A token can be in one of the following states:

  • Inactive: This is the initial state for a newly provisioned token that has not yet been used.
  • Active: This state is automatically assigned to a token after it is first used.
    Tokens can be suspended or revoked from the active state.
  • Suspended: This state is for temporarily disabled tokens.
    The Kaa platform will reject communication for a suspended token.
    Suspended tokens can be reactivated.
  • Revoked: This is the terminal state for a token that is no longer valid.

Endpoint token state machine

You can transition a token’s status using the “Endpoint Token Status” widget on the Device page.

Endpoint token status widget

MQTT Token-Based Authentication

In the MQTT transport, the endpoint passes the token in the MQTT topic.

Below is an example of data collection using mosquitto_pub, where $ENDPOINT_TOKEN is an environment variable holding the token value.

mosquitto_pub -h mqtt.cloud.kaaiot.com -t kp1/$APP_VERSION/dcx/$ENDPOINT_TOKEN/json/1 -m '{
  "temperature": 21
}'

See MQTT device API for more examples.

HTTP Token-Based Authentication

In the HTTP transport, the endpoint passes the token in the URL.

Below is an example of data collection using curl, where $ENDPOINT_TOKEN is an environment variable holding the token value.

curl -X POST https://cloud.kaaiot.com/kpc/kp1/$APP_VERSION/dcx/$ENDPOINT_TOKEN/json --data '{"temperature": 21}'

See HTTP device API for more examples.