Auth for device provisioning
At the time of provisioning a device you can authorize the API request using a Suite authorization token.
Find an example on how you can create it using the UI at Create a Suite Auth client.
With the device provisioning request you can also set the device credentials and a thing policy.
While the device connectivity layer (Bosch IoT Hub) requires a globally unique device ID and the digital twin layer (Bosch IoT Things) requires a globally unique thing ID, when working with the Device Provisioning API you will need identifiers following the pattern: my.namespace:my-device-name-01.
The namespace must be separated by a colon (:) from the rest of the device identifier in order to satisfy all requirements towards a trustful and unique naming.
Identifiers which you can set with a provisioning request are listed below:
The device ID
This is by default identical with the thing ID: e.g. my.namespace:my-device-name-01.
The same ID as for the thing is mandatory, since the system needs the trust between device connectivity and digital twin layer.
The device authentication ID and credentials
The device authentication ID (authID) is by default similar with the device ID but replaces the colon character with an underscore: e.g. my.namespace_my-device-name-01.
However, you can set any identifier e.g. device serial number.
The type of credentials supported for username/password based authentication are: plain text and base 64 encoded.
Further the device connectivity layer supports certificates, see Device authentication.
The thing ID
This is by default identical with the device ID: e.g. my.namespace:my-device-name-01.
The thing policy
The policy ID is by default identical with the thing ID.
The default policy entry will contain the Suite authentication client ID as an authorized subject.
Thus, for changing the policy this authorization subject will be required.However, you can also set other identifiers e.g. user ID, technical client IDs, etc. from the very beginning, or at a later point in time.