Auth for device provisioning

At the time of provisioning a device you can authorize the API request using a Suite authorization token.

With the device provisioning request you can also set the device credentials and a thing policy.
While the device connectivity layer (Bosch IoT Hub) requires a globally unique device ID and the digital twin layer (Bosch IoT Things) requires a globally unique thing ID, when working with the Device Provisioning API you will need identifiers following the pattern: my.namespace:my-device-name-01.
The namespace must be separated by a colon (:) from the rest of the device identifier in order to satisfy all requirements towards a trustful and unique naming.

Identifiers which you can set with a provisioning request are listed below:

• The device ID

  • This is by default identical with the thing ID: e.g. my.namespace:my-device-name-01.

  • The same ID as for the thing is mandatory, since the system needs the trust between device connectivity and digital twin layer.

• The device authentication ID and credentials

  • The device authentication ID (authID) is by default similar with the device ID but replaces the colon character with an underscore: e.g. my.namespace_my-device-name-01.

  • However, you can set any identifier e.g. device serial number.

  • The type of credentials supported for username/password based authentication are: plain text and base 64 encoded.
    Further the device connectivity layer supports certificates, see Device authentication.

• The thing ID

  • This is by default identical with the device ID: e.g. my.namespace:my-device-name-01.

• The thing policy

  • The policy ID is by default identical with the thing ID.

  • The default policy entry will contain the Suite authentication client ID as an authorized subject.
    Thus, for changing the policy this authorization subject will be required.

  • However, you can also set other identifiers e.g. user ID, technical client IDs, etc. from the very beginning, or at a later point in time.