Device Cloud Authentication

Before sending any commands to Device Cloud, the client must authenticate its connection.

There are two ways to authenticate, as a user or as an application. Both users and applications have security roles assigned. However, an application authenticates with a token that can be reused among many devices, whereas a user represents a single individual. Additionally, some functionality is only available to users, while other functionality is only available to applications.

User Authentication

  • A user authenticates with a user name (email address) and a password.

  • A user with access to more than one organization can use the session.org.switch API to switch organizations. For more information, see session.org.switch).

  • Every five failed login attempts incurs a five minute additive lockout period up to a maximum lockout period of 30 minutes. A user cannot log in during a lockout period.

A user cannot bind things to its session.

Application Authentication

  • An application or client authenticates with Device Cloud using a thing key, application ID, and an application token.

  • The thing key is the unique key that associates the application or client to a particular thing in Device Cloud

  • The application ID is a unique, secret value that is generated by the device. It is associated with the thing key the first time a device connects and prevents connection spoofing. It is a good practice to generate an application ID the first time a device connects and store the value in nonvolatile memory so it can be reused. Using a different application ID for that device prevents an application from connecting.

  • The application token is an ASCII string that is supplied through the Management Portal and used by a client to authenticate the session to Device Cloud.  An application token can be reused by many clients. However, each client is assigned to a thing object in the platform.