Seeking Architecture Guidance for Secure Device Claiming and Provisioning

Hello Particle Community,

I've recently started developing my backend for an IoT application on Google Cloud, leveraging pub/sub, firebase, and Particle's webhook integration.

I have been able to find lots of documentation/examples explaining best practices for device control/telemetry but I am struggling to find specific guidance on implementing a secure client device claiming and provisioning process.

Particle's documentation advises against using their provided customers/claiming and instead recommends building this functionality within my application backend yet lacks concrete examples beyond high-level guidance.

I found this post to be helpful, however it did not fully answer my question:
(Architecture insight).

I'm particularly interested in:

Secure Key Registration: How can I achieve a robust key registration process akin to X.509 certificate-based authentication commonly found in IoT platforms like AWS, Azure, (and formerly Google IoT Core)?

Backend Integration: Since Google IoT Core is retired, what Google Cloud services could I leverage for secure device registration and authentication within my backend?

I've explored a valuable Google example (Building a Smart Home Cloud Service with Google | by Dave Smith | Google Developers | Medium, GitHub - GoogleCloudPlatform/iot-smart-home-cloud: Sample project using Cloud IoT Core and the Google Assistant), but I need clarity on suitable backend alternatives since this example relies on GCP's depricated IoT Core.

I understand there might be some simple/ les secure solutions that are fairly easy to implement; however, my focus is on a production-ready solution that emphasizes security and scalability.

Thank you for your insights and recommendations!

Hi Peter,
Can you leave that to the Particle Cloud?
If not, why not?


We don't recommend that you use customer claiming, but each device is authenticated against the Particle cloud using RSA public-private key pairs, and the cloud connection is protected using DTLS with a session key that is derived from the RSA key pair, so that is secure as well.

You can rely on the Device ID being secure, and you should use that as the unique key to identify the user in your system. All you need to do is register the device with its product; you should individually claim each device as it's unnecessary to be secure.

@pwarinner : alternatively, if the users may own more than one device, you can authenticate your users with Firebase Authentication and assign/associate devices via their device ID to those users.